Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipping documents PO 16103 INV.exe

Overview

General Information

Sample name:Shipping documents PO 16103 INV.exe
Analysis ID:1483270
MD5:671423091cbffb473016291d68a5b49b
SHA1:07f1a0c895fa372f6043fbf013b78321a6939193
SHA256:31fdf75cd3cf71f770eb158141183b08ed0845b27ecd2e90ce20eb3c4e4642c0
Tags:exeRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Shipping documents PO 16103 INV.exe (PID: 5896 cmdline: "C:\Users\user\Desktop\Shipping documents PO 16103 INV.exe" MD5: 671423091CBFFB473016291D68A5B49B)
    • conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MSBuild.exe (PID: 3516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
    • AddInProcess32.exe (PID: 3212 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • AddInProcess32.exe (PID: 3088 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\vunykblr" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • AddInProcess32.exe (PID: 2828 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • AddInProcess32.exe (PID: 3896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
      • AddInProcess32.exe (PID: 5368 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\hqgjmdgmcefhebf" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "178.23.190.118:52499:0", "Assigned name": "Dollar Man", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SJ9MVF", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.4544415649.0000000002DDE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 14 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              4.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                4.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  4.2.AddInProcess32.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aaa8:$a1: Remcos restarted by watchdog!
                  • 0x6b020:$a3: %02i:%02i:%02i:%03i
                  4.2.AddInProcess32.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64b6c:$str_b2: Executing file:
                  • 0x65bec:$str_b3: GetDirectListeningPort
                  • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65718:$str_b7: \update.vbs
                  • 0x64b94:$str_b9: Downloaded file:
                  • 0x64b80:$str_b10: Downloading file:
                  • 0x64c24:$str_b12: Failed to upload file:
                  • 0x65bb4:$str_b13: StartForward
                  • 0x65bd4:$str_b14: StopForward
                  • 0x65670:$str_b15: fso.DeleteFile "
                  • 0x65604:$str_b16: On Error Resume Next
                  • 0x656a0:$str_b17: fso.DeleteFolder "
                  • 0x64c14:$str_b18: Uploaded file:
                  • 0x64bd4:$str_b19: Unable to delete:
                  • 0x65638:$str_b20: while fso.FileExists("
                  • 0x650b1:$str_c0: [Firefox StoredLogins not found]
                  4.2.AddInProcess32.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x6497c:$s1: CoGetObject
                  • 0x64990:$s1: CoGetObject
                  • 0x649ac:$s1: CoGetObject
                  • 0x6e938:$s1: CoGetObject
                  • 0x6493c:$s2: Elevation:Administrator!new:
                  Click to see the 24 entries

                  Sigma Signatures

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 3212, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Snort Signatures

                  No Snort rule has matched

                  Suricata Signatures

                  Timestamp:2024-07-26T23:58:58.003146+0200
                  SID:2032777
                  Source Port:52499
                  Destination Port:49710
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-26T23:54:58.863658+0200
                  SID:2803304
                  Source Port:49712
                  Destination Port:80
                  Protocol:TCP
                  Classtype:Unknown Traffic
                  Timestamp:2024-07-26T23:55:14.692707+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49715
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T23:56:57.970794+0200
                  SID:2032777
                  Source Port:52499
                  Destination Port:49710
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-26T23:54:57.593214+0200
                  SID:2032777
                  Source Port:52499
                  Destination Port:49710
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected
                  Timestamp:2024-07-26T23:55:52.583949+0200
                  SID:2022930
                  Source Port:443
                  Destination Port:49722
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:2024-07-26T23:54:56.646492+0200
                  SID:2032776
                  Source Port:49710
                  Destination Port:52499
                  Protocol:TCP
                  Classtype:Malware Command and Control Activity Detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "178.23.190.118:52499:0", "Assigned name": "Dollar Man", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SJ9MVF", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for submitted file
                  Source: Shipping documents PO 16103 INV.exeReversingLabs: Detection: 44%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4544415649.0000000002DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping documents PO 16103 INV.exe PID: 5896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 3212, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_2_00433837
                  Source: Shipping documents PO 16103 INV.exe, 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ff9658f0-3

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping documents PO 16103 INV.exe PID: 5896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 3212, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004074FD _wcslen,CoGetObject,4_2_004074FD
                  Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49718 version: TLS 1.0
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0044E879 FindFirstFileExA,4_2_0044E879
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_10006580 FindFirstFileExA,4_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,6_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 178.23.190.118
                  Source: global trafficTCP traffic: 192.168.2.6:49710 -> 178.23.190.118:52499
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewIP Address: 178.23.190.118 178.23.190.118
                  Source: Joe Sandbox ViewASN Name: LYNERO-ASDK LYNERO-ASDK
                  Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
                  Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49718 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: unknownTCP traffic detected without corresponding DNS query: 178.23.190.118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_0041B380
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: AddInProcess32.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: AddInProcess32.exe, 00000006.00000002.2129157808.0000000002A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: AddInProcess32.exe, 00000006.00000002.2129157808.0000000002A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: AddInProcess32.exe, 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: AddInProcess32.exe, 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: AddInProcess32.exe, 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp$
                  Source: Shipping documents PO 16103 INV.exe, 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0:
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0H
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0I
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0Q
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://ocsp.msocsp.com0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://ocsp.msocsp.com0S
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: bhvC750.tmp.6.drString found in binary or memory: http://www.digicert.com/CPS0~
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: AddInProcess32.exe, 00000006.00000002.2127944386.0000000000B64000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                  Source: Shipping documents PO 16103 INV.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
                  Source: Shipping documents PO 16103 INV.exeString found in binary or memory: https://aka.ms/nativeaot-c
                  Source: Shipping documents PO 16103 INV.exeString found in binary or memory: https://aka.ms/nativeaot-compatibility
                  Source: Shipping documents PO 16103 INV.exe, 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibilityX
                  Source: Shipping documents PO 16103 INV.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
                  Source: Shipping documents PO 16103 INV.exeString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                  Source: AddInProcess32.exe, 00000006.00000002.2127910752.0000000000A6C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://login.li
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: AddInProcess32.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: AddInProcess32.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvC750.tmp.6.drString found in binary or memory: https://www.office.com/
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000004_2_0040A2B8
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_004168C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,6_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,6_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,8_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,8_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,9_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,4_2_0040A3E0

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4544415649.0000000002DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping documents PO 16103 INV.exe PID: 5896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 3212, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041C9E2 SystemParametersInfoW,4_2_0041C9E2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: Shipping documents PO 16103 INV.exe PID: 5896, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: AddInProcess32.exe PID: 3212, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: Shipping documents PO 16103 INV.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,4_2_004180EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,4_2_004132D2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,4_2_0041BB09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,4_2_0041BB35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,6_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00401806 NtdllDefWindowProc_W,6_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_004018C0 NtdllDefWindowProc_W,6_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004016FD NtdllDefWindowProc_A,8_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004017B7 NtdllDefWindowProc_A,8_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00402CAC NtdllDefWindowProc_A,9_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00402D66 NtdllDefWindowProc_A,9_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,4_2_004167B4
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948907500_2_00007FF694890750
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948791400_2_00007FF694879140
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF69488C3500_2_00007FF69488C350
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF69488ED000_2_00007FF69488ED00
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF69488DE200_2_00007FF69488DE20
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF69488F5500_2_00007FF69488F550
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF694888F300_2_00007FF694888F30
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948937F00_2_00007FF6948937F0
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF69487FF900_2_00007FF69487FF90
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948928F00_2_00007FF6948928F0
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948739100_2_00007FF694873910
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948680B00_2_00007FF6948680B0
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948919F00_2_00007FF6948919F0
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF69487F9E40_2_00007FF69487F9E4
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6949141600_2_00007FF694914160
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948941600_2_00007FF694894160
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF694888AB00_2_00007FF694888AB0
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF694898BC00_2_00007FF694898BC0
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF694876BB60_2_00007FF694876BB6
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF69487E4E00_2_00007FF69487E4E0
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF694872C500_2_00007FF694872C50
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948924800_2_00007FF694892480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0043E0CC4_2_0043E0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041F0FA4_2_0041F0FA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004541594_2_00454159
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004381684_2_00438168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004461F04_2_004461F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0043E2FB4_2_0043E2FB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0045332B4_2_0045332B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0042739D4_2_0042739D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004374E64_2_004374E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0043E5584_2_0043E558
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004387704_2_00438770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004378FE4_2_004378FE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004339464_2_00433946
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0044D9C94_2_0044D9C9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00427A464_2_00427A46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041DB624_2_0041DB62
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00427BAF4_2_00427BAF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00437D334_2_00437D33
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00435E5E4_2_00435E5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00426E0E4_2_00426E0E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0043DE9D4_2_0043DE9D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00413FCA4_2_00413FCA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00436FEA4_2_00436FEA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_100171944_2_10017194
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_1000B5C14_2_1000B5C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044B0406_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0043610D6_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_004473106_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044A4906_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0040755A6_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0043C5606_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044B6106_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044D6C06_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_004476F06_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044B8706_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044081D6_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_004149576_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_004079EE6_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00407AEB6_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044AA806_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00412AA96_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00404B746_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00404B036_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044BBD86_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00404BE56_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00404C766_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00415CFE6_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00416D726_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00446D306_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00446D8B6_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00406E8F6_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004050388_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041208C8_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004050A98_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040511A8_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043C13A8_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004051AB8_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004493008_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040D3228_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044A4F08_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043A5AB8_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004136318_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004466908_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044A7308_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004398D88_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004498E08_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044A8868_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043DA098_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00438D5E8_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00449ED08_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041FE838_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00430F548_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004050C29_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004014AB9_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004051339_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004051A49_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004012469_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_0040CA469_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004052359_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004032C89_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004016899_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00402F609_2_00402F60
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: String function: 00007FF694869D50 appears 51 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434E10 appears 54 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434770 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00401E65 appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00416760 appears 69 times
                  Source: Shipping documents PO 16103 INV.exeBinary or memory string: OriginalFilename vs Shipping documents PO 16103 INV.exe
                  Source: Shipping documents PO 16103 INV.exe, 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIArraySortHelper2EnglishCountryName.dllh$ vs Shipping documents PO 16103 INV.exe
                  Source: Shipping documents PO 16103 INV.exe, 00000000.00000002.2097424848.0000021723800000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIArraySortHelper2EnglishCountryName.dllh$ vs Shipping documents PO 16103 INV.exe
                  Source: Shipping documents PO 16103 INV.exeBinary or memory string: OriginalFilenameIArraySortHelper2EnglishCountryName.dllh$ vs Shipping documents PO 16103 INV.exe
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: Shipping documents PO 16103 INV.exe PID: 5896, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: AddInProcess32.exe PID: 3212, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9982564983230134
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@14/4@1/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,6_2_004182CE
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF694872A80 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,0_2_00007FF694872A80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_00417952
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,9_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,6_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,4_2_0040F474
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_0041B4A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].jsonJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-SJ9MVF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Users\user\AppData\Local\Temp\bhvC750.tmpJump to behavior
                  Source: Shipping documents PO 16103 INV.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000008.00000002.2120174007.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: AddInProcess32.exe, 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: AddInProcess32.exe, 00000006.00000002.2129217648.0000000002F3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: AddInProcess32.exe, AddInProcess32.exe, 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: Shipping documents PO 16103 INV.exeReversingLabs: Detection: 44%
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeFile read: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exe "C:\Users\user\Desktop\Shipping documents PO 16103 INV.exe"
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\vunykblr"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\hqgjmdgmcefhebf"
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\vunykblr"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\hqgjmdgmcefhebf"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: Shipping documents PO 16103 INV.exeStatic file information: File size 2672640 > 1048576
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: section name: .managed
                  Source: Shipping documents PO 16103 INV.exeStatic PE information: section name: hydrated
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00457106 push ecx; ret 4_2_00457119
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0045B11A push esp; ret 4_2_0045B141
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0045E54D push esi; ret 4_2_0045E556
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00457A28 push eax; ret 4_2_00457A46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00434E56 push ecx; ret 4_2_00434E69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_10002806 push ecx; ret 4_2_10002819
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044693D push ecx; ret 6_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044DB70 push eax; ret 6_2_0044DB84
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0044DB70 push eax; ret 6_2_0044DBAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_00451D54 push eax; ret 6_2_00451D61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044B090 push eax; ret 8_2_0044B0A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044B090 push eax; ret 8_2_0044B0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00451D34 push eax; ret 8_2_00451D41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00444E71 push ecx; ret 8_2_00444E81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00414060 push eax; ret 9_2_00414074
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00414060 push eax; ret 9_2_0041409C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00414039 push ecx; ret 9_2_00414049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_004164EB push 0000006Ah; retf 9_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00416553 push 0000006Ah; retf 9_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00416555 push 0000006Ah; retf 9_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00406EB0 ShellExecuteW,URLDownloadToFileW,4_2_00406EB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040F7A7 Sleep,ExitProcess,4_2_0040F7A7
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory allocated: 2171EF70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,6_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_2_0041A748
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 9465Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI coverage: 9.8 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6620Thread sleep count: 264 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6620Thread sleep time: -132000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3928Thread sleep time: -51000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3928Thread sleep count: 9465 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3928Thread sleep time: -28395000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0044E879 FindFirstFileExA,4_2_0044E879
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_100010F1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_10006580 FindFirstFileExA,4_2_10006580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,6_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 9_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,9_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948726B0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,0_2_00007FF6948726B0
                  Source: Shipping documents PO 16103 INV.exeBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
                  Source: AddInProcess32.exe, 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4543508268.00000000010FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: bhvC750.tmp.6.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end nodegraph_4-55110
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,6_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004432B5 mov eax, dword ptr fs:[00000030h]4_2_004432B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_10004AB4 mov eax, dword ptr fs:[00000030h]4_2_10004AB4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,4_2_00411CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF694865760 RtlAddVectoredExceptionHandler,0_2_00007FF694865760
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948C9A88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6948C9A88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00434B47 SetUnhandledExceptionFilter,4_2_00434B47
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043BB22
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00434FDC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_100060E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_10002639
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_10002B1C

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Contains functionality to inject code into remote processes
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,4_2_004180EF
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: D04008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_2_004120F7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00419627 mouse_event,4_2_00419627
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\vunykblr"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\hqgjmdgmcefhebf"Jump to behavior
                  Source: AddInProcess32.exe, 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerineer
                  Source: AddInProcess32.exe, 00000004.00000002.4543508268.00000000010EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVF\*
                  Source: AddInProcess32.exe, 00000004.00000002.4543508268.00000000010EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVF\cf
                  Source: AddInProcess32.exe, 00000004.00000002.4543508268.00000000010EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVF\pT
                  Source: AddInProcess32.exe, 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerD
                  Source: AddInProcess32.exe, 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: AddInProcess32.exe, 00000004.00000002.4543508268.00000000010EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVF\35
                  Source: AddInProcess32.exe, 00000004.00000002.4543508268.00000000010EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVF\yT
                  Source: AddInProcess32.exe, 00000004.00000002.4543508268.00000000010EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVF\fT
                  Source: AddInProcess32.exe, 00000004.00000002.4543508268.00000000010EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVF\
                  Source: AddInProcess32.exe, 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager2
                  Source: AddInProcess32.exe, 00000004.00000002.4543389272.00000000010B1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: AddInProcess32.exe, 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9
                  Source: AddInProcess32.exe, 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmp, logs.dat.4.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF694865410 cpuid 0_2_00007FF694865410
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoA,4_2_0040F8D1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,4_2_00452036
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_004520C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,4_2_00452313
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,4_2_00448404
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_0045243C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,4_2_00452543
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00452610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,4_2_004488ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00451CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,4_2_00451F50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,4_2_00451F9B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Shipping documents PO 16103 INV.exeCode function: 0_2_00007FF6948C955C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6948C955C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0041B60D GetComputerNameExW,GetUserNameW,4_2_0041B60D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00449190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 6_2_0041739B GetVersionExW,6_2_0041739B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4544415649.0000000002DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping documents PO 16103 INV.exe PID: 5896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 3212, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_2_0040BA12
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_2_0040BB30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \key3.db4_2_0040BB30
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: ESMTPPassword8_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword8_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword8_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 3212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 3088, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-SJ9MVFJump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217247c1688.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Shipping documents PO 16103 INV.exe.217245627f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4544415649.0000000002DDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Shipping documents PO 16103 INV.exe PID: 5896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 3212, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: cmd.exe4_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Bypass User Account Control                  		2
                  Obfuscated Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		22
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		Logon Script (Windows)1
                  Access Token Manipulation                  		1
                  Software Packing                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Windows Service                  		1
                  DLL Side-Loading                  		3
                  Credentials In Files                  		3
                  File and Directory Discovery                  		Distributed Component Object Model211
                  Input Capture                  		1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script522
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets38
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials31
                  Security Software Discovery                  		VNCGUI Input Capture13
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt522
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483270 Sample: Shipping documents PO 16103... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 31 geoplugin.net 2->31 33 fp2e7a.wpc.phicdn.net 2->33 35 2 other IPs or domains 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 8 Shipping documents PO 16103 INV.exe 1 2->8         started        signatures3 process4 signatures5 55 Writes to foreign memory regions 8->55 57 Allocates memory in foreign processes 8->57 59 Injects a PE file into a foreign processes 8->59 11 AddInProcess32.exe 3 15 8->11         started        16 conhost.exe 8->16         started        18 MSBuild.exe 8->18         started        process6 dnsIp7 37 178.23.190.118, 49710, 49711, 52499 LYNERO-ASDK unknown 11->37 39 geoplugin.net 178.237.33.50, 49712, 80 ATOM86-ASATOM86NL Netherlands 11->39 29 C:\ProgramData\remcos\logs.dat, data 11->29 dropped 61 Contains functionality to bypass UAC (CMSTPLUA) 11->61 63 Detected Remcos RAT 11->63 65 Tries to steal Mail credentials (via file registry) 11->65 67 8 other signatures 11->67 20 AddInProcess32.exe 1 11->20         started        23 AddInProcess32.exe 1 11->23         started        25 AddInProcess32.exe 2 11->25         started        27 AddInProcess32.exe 11->27         started        file8 signatures9 process10 signatures11 49 Tries to steal Instant Messenger accounts or passwords 20->49 51 Tries to steal Mail credentials (via file / registry access) 20->51 53 Tries to harvest and steal browser information (history, passwords, etc) 23->53

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Shipping documents PO 16103 INV.exe45%ReversingLabsWin64.Backdoor.Remcos

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.imvu.comr0%URL Reputationsafe
                  http://www.imvu.com0%URL Reputationsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://geoplugin.net/json.gp/C0%URL Reputationsafe
                  https://login.yahoo.com/config/login0%URL Reputationsafe
                  http://www.ebuddy.com0%URL Reputationsafe
                  http://www.nirsoft.net0%Avira URL Cloudsafe
                  https://www.office.com/0%Avira URL Cloudsafe
                  https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
                  https://aka.ms/nativeaot-compatibilityy0%Avira URL Cloudsafe
                  https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg0%Avira URL Cloudsafe
                  https://aka.ms/nativeaot-c0%Avira URL Cloudsafe
                  https://login.li0%Avira URL Cloudsafe
                  http://geoplugin.net/json.gp$0%Avira URL Cloudsafe
                  https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
                  https://aefd.nelreports.net/api/report?cat=bingaot0%Avira URL Cloudsafe
                  https://www.google.com0%Avira URL Cloudsafe
                  178.23.190.1180%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL0%Avira URL Cloudsafe
                  https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%Avira URL Cloudsafe
                  https://aka.ms/nativeaot-compatibilityX0%Avira URL Cloudsafe
                  https://aka.ms/nativeaot-compatibility0%Avira URL Cloudsafe
                  https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                  https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
                  https://aka.ms/GlobalizationInvariantMode0%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%Avira URL Cloudsafe
                  https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      fp2e7a.wpc.phicdn.net
                      		192.229.221.95
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown
                        178.23.190.118true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gp$AddInProcess32.exe, 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.office.com/bhvC750.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comrAddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=bingthbhvC750.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/nativeaot-cShipping documents PO 16103 INV.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://login.liAddInProcess32.exe, 00000006.00000002.2127910752.0000000000A6C000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/nativeaot-compatibilityyShipping documents PO 16103 INV.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comAddInProcess32.exe, AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=wsbbhvC750.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.netAddInProcess32.exe, 00000006.00000002.2127944386.0000000000B64000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=bingaotakbhvC750.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgbhvC750.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://deff.nelreports.net/api/report?cat=msnbhvC750.tmp.6.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comAddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.comAddInProcess32.exe, AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=ELbhvC750.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=bingaotbhvC750.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp/CShipping documents PO 16103 INV.exe, 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvC750.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/nativeaot-compatibilityShipping documents PO 16103 INV.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/nativeaot-compatibilityYShipping documents PO 16103 INV.exefalse
                          		unknown
                          https://aka.ms/nativeaot-compatibilityXShipping documents PO 16103 INV.exe, 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aefd.nelreports.net/api/report?cat=bingrmsbhvC750.tmp.6.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.com/accounts/serviceloginAddInProcess32.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/GlobalizationInvariantModeShipping documents PO 16103 INV.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://login.yahoo.com/config/loginAddInProcess32.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://www.nirsoft.net/AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhvC750.tmp.6.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.ebuddy.comAddInProcess32.exe, AddInProcess32.exe, 00000009.00000002.2121338283.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          178.237.33.50
                          		geoplugin.netNetherlands
                          		8455ATOM86-ASATOM86NLfalse
                          178.23.190.118
                          		unknownunknown
                          		196724LYNERO-ASDKtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1483270
                          Start date and time:2024-07-26 23:54:08 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 51s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:13
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Shipping documents PO 16103 INV.exe
                          Detection:MAL
                          Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@14/4@1/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 83%
                          • Number of executed functions: 164
                          • Number of non-executed functions: 260
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 40.113.103.199, 20.114.59.183, 192.229.221.95, 20.242.39.171, 199.232.210.172, 20.166.126.56, 93.184.221.240, 40.113.110.67
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: Shipping documents PO 16103 INV.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          17:55:27API Interceptor9347881x Sleep call for process: AddInProcess32.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          178.237.33.5017220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                          • geoplugin.net/json.gp
                          172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                          • geoplugin.net/json.gp
                          erthings.docGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          girlfrnd.docGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          UD61dgs2rz.exeGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                          • geoplugin.net/json.gp
                          178.23.190.118CFS-0682-2-08 Order.exeGet hashmaliciousRemcosBrowse
                            DHL Shipment Document Waybill .exeGet hashmaliciousRemcosBrowse
                              DHL Shipment Document Waybill NO # 1363232194.exeGet hashmaliciousRemcosBrowse
                                SC-91048-docs.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  Requirement Against PO. No. 242313609.pdf.exeGet hashmaliciousGuLoader, RedLineBrowse
                                    SecuriteInfo.com.Trojan.NSIS.Injector.28272.29476.exeGet hashmaliciousGuLoader, RedLineBrowse
                                      Price Offer_1200R4 1200R20.exeGet hashmaliciousGuLoader, RedLineBrowse
                                        RFQ SY103 2nd order 2024.exeGet hashmaliciousRedLineBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          bg.microsoft.map.fastly.nethttps://intralinks.us.com/chrI1Asz01vanm3Tuyl2APdermavanm3Tz01coTxmGet hashmaliciousHTMLPhisherBrowse
                                          • 199.232.210.172
                                          1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                          • 199.232.210.172
                                          https://1drv.ms/b/c/0524e941baea8759/EbTQ6AvSTkdPuFAldWpGokYBh0MxWHPfUcZj1H5z_yZ5Ew?e=cIicc7Get hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          https://www.canva.com/design/DAGMEHwBhBU/KuqkCNaGGLCBR8SypHXNgw/edit?utm_content=DAGMEHwBhBU&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          https://123formbuilder.info/wj412l/#9ryano@vib.techGet hashmaliciousHTMLPhisherBrowse
                                          • 199.232.214.172
                                          https://rlbjalk.vk.com//away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=lamachado.com.br/dayo/2d5vx/cm9zZWxsYS5hdHRyb3R0b0BhY2NpYWllcmllZGl0YWxpYS5jb20=$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          https://alamanaschool-my.sharepoint.com/:o:/g/personal/faridhajahan_kg_amanaschool_com/EjJ3Pc0GI4lCgL5xS_fmQD0Bn9XR0VtN5_yNafsBQyYJsg?e=OHPWmQGet hashmaliciousUnknownBrowse
                                          • 199.232.214.172
                                          setup.exeGet hashmaliciousNeoreklamiBrowse
                                          • 199.232.210.172
                                          https://mail.feyro.com/d2/xzw/Get hashmaliciousUnknownBrowse
                                          • 199.232.214.172
                                          https://www.congresosucv.com/maindeal/fxc/bWVsaXNzYS53aGl0ZWh1cnN0QGFmZm9yZGFibGVkZW50dXJlcy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                          • 199.232.214.172
                                          fp2e7a.wpc.phicdn.net37.dllGet hashmaliciousNumandoBrowse
                                          • 192.229.221.95
                                          http://shipit.mmthriftapps.com/login.aspxGet hashmaliciousUnknownBrowse
                                          • 192.229.221.95
                                          http://www.wi2sys.com.br/Get hashmaliciousUnknownBrowse
                                          • 192.229.221.95
                                          https://intralinks.us.com/chrI1Asz01vanm3Tuyl2APdermavanm3Tz01coTxmGet hashmaliciousHTMLPhisherBrowse
                                          • 192.229.221.95
                                          https://mrlocksmithpenticton.com/mlc/Get hashmaliciousHTMLPhisherBrowse
                                          • 192.229.221.95
                                          https://new-sneww-online-nowz-all.azurewebsites.net/?referrer=appmetrica_tracking_id%3D173005530304969909%26ym_tracking_id%3D10094745761516744100Get hashmaliciousUnknownBrowse
                                          • 192.229.221.95
                                          1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                          • 192.229.221.95
                                          https://1drv.ms/b/c/0524e941baea8759/EbTQ6AvSTkdPuFAldWpGokYBh0MxWHPfUcZj1H5z_yZ5Ew?e=cIicc7Get hashmaliciousUnknownBrowse
                                          • 192.229.221.95
                                          https://www.canva.com/design/DAGMEHwBhBU/KuqkCNaGGLCBR8SypHXNgw/edit?utm_content=DAGMEHwBhBU&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousUnknownBrowse
                                          • 192.229.221.95
                                          https://123formbuilder.info/wj412l/#9ryano@vib.techGet hashmaliciousHTMLPhisherBrowse
                                          • 192.229.221.95
                                          geoplugin.net17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                          • 178.237.33.50
                                          172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                          • 178.237.33.50
                                          erthings.docGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          girlfrnd.docGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          UD61dgs2rz.exeGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          LYNERO-ASDKCFS-0682-2-08 Order.exeGet hashmaliciousRemcosBrowse
                                          • 178.23.190.118
                                          DHL Shipment Document Waybill .exeGet hashmaliciousRemcosBrowse
                                          • 178.23.190.118
                                          DHL Shipment Document Waybill NO # 1363232194.exeGet hashmaliciousRemcosBrowse
                                          • 178.23.190.118
                                          SC-91048-docs.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 178.23.190.118
                                          Requirement Against PO. No. 242313609.pdf.exeGet hashmaliciousGuLoader, RedLineBrowse
                                          • 178.23.190.118
                                          SecuriteInfo.com.Trojan.NSIS.Injector.28272.29476.exeGet hashmaliciousGuLoader, RedLineBrowse
                                          • 178.23.190.118
                                          Price Offer_1200R4 1200R20.exeGet hashmaliciousGuLoader, RedLineBrowse
                                          • 178.23.190.118
                                          RFQ SY103 2nd order 2024.exeGet hashmaliciousRedLineBrowse
                                          • 178.23.190.118
                                          Document-1975072354.xlsGet hashmaliciousHidden Macro 4.0Browse
                                          • 178.23.190.8
                                          Document-1975072354.xlsGet hashmaliciousHidden Macro 4.0Browse
                                          • 178.23.190.8
                                          ATOM86-ASATOM86NL17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exeGet hashmaliciousGuLoader, RemcosBrowse
                                          • 178.237.33.50
                                          172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          girlfrnd.docGet hashmaliciousGuLoader, RemcosBrowse
                                          • 178.237.33.50
                                          erthings.docGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          girlfrnd.docGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          UD61dgs2rz.exeGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50
                                          AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
                                          • 178.237.33.50

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          1138de370e523e824bbca92d049a3777https://intralinks.us.com/chrI1Asz01vanm3Tuyl2APdermavanm3Tz01coTxmGet hashmaliciousHTMLPhisherBrowse
                                          • 173.222.162.64
                                          new.batGet hashmaliciousUnknownBrowse
                                          • 173.222.162.64
                                          file.exeGet hashmaliciousBabadedaBrowse
                                          • 173.222.162.64
                                          https://click.pstmrk.it/3s/www.rxeffect.com/xrJC/8OO2AQ/AQ/7b025ed7-37dd-46f9-8a3c-79d484929f8e/1/x7UnC8G8B9Get hashmaliciousUnknownBrowse
                                          • 173.222.162.64
                                          http://cursostop10.com.br/adm/rudd/?email=nathalie.petillon@chirec.beGet hashmaliciousHTMLPhisherBrowse
                                          • 173.222.162.64
                                          https://nasyiahgamping.com/_loader.html?send_id=eh&tvi2_RxT=cp.appriver.com%2Fservices%2Fspamlab%2Fhmr%2FPrepareHMRAccess.aspx%3Fex%3DCwl7OpqsAW8UXOjQpfNORMYziqeg%252fwcMKDuZuqPM%252b44%253d%26et%3DSCXX1gC0hGLFIJMBjJa%252bcPyzP9zDkcUvJzlJx8HAPYIwHybHJtlKKhvlY68%252fb09k%252bq%252fmbrOOqiV%252brsXviFPAevdalHsK83HP&url=aHR0cHM6Ly9maW5hbmNlcGhpbGUuY29tL3dwLWluY2x1ZGVzL2ltZy9kLnNhdXRpZXJAc2JtLm1jGet hashmaliciousHTMLPhisherBrowse
                                          • 173.222.162.64
                                          file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                          • 173.222.162.64
                                          file.exeGet hashmaliciousBabadedaBrowse
                                          • 173.222.162.64
                                          file.exeGet hashmaliciousBabadedaBrowse
                                          • 173.222.162.64
                                          http://cs9.bizGet hashmaliciousUnknownBrowse
                                          • 173.222.162.64

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\remcos\logs.dat

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):144
                                          Entropy (8bit):3.38816599775145
                                          Encrypted:false
                                          SSDEEP:3:rhlKlVjfOlWEQFb5JWRal2Jl+7R0DAlBG45klovDl6v:6lVClpQFb5YcIeeDAlOWAv
                                          MD5:7085A33F81C001FAACA00C198BF7CC18
                                          SHA1:529BE1AE6402B46DE66B089F87F6841A09794DEE
                                          SHA-256:1E5E6E38824307E31734B544070C551A68596C7E3A93E4F6398635B39E5FB253
                                          SHA-512:712780516BE71F45AE462704C975AF42931A60164F923C3EF5AFACF355675A1EB6718195CAAA0D1D95113E524EC11F81D052A6259E63E4CA7B65CD17F8553AA4
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                          Reputation:low
                                          Preview:....[.2.0.2.4./.0.7./.2.6. .1.7.:.5.4.:.5.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):962
                                          Entropy (8bit):5.013130376969173
                                          Encrypted:false
                                          SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                                          MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                                          SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                                          SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                                          SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                          C:\Users\user\AppData\Local\Temp\bhvC750.tmp

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          File Type:Extensible storage user DataBase, version 0x620, checksum 0x3b6fe592, page size 32768, DirtyShutdown, Windows version 10.0
                                          Category:dropped
                                          Size (bytes):17301504
                                          Entropy (8bit):1.0235410987242815
                                          Encrypted:false
                                          SSDEEP:6144:7vQPYV7AyUO+xBGA611GJxBGA611Gv0M6JKX3XX35X3khTAvhTA/hTATX3t8nqks:wyUt3F0TkT0TAitKxK9JdIC4Ago
                                          MD5:FF4AE4B16050819BFDD843FC4F59EEC8
                                          SHA1:25AF67582A4318F6C3C26330B1E799AFBF7F74B0
                                          SHA-256:B5AA84465D419EC6B2540C1C9BC4117D9F0B57A1EBD2CD6B6A95077E021388FB
                                          SHA-512:A67B4CA99EC1389B7E4F68ED815BADC07F36A26821C2C79288FC3C38462B6B818BFD04F7E6001DEF36E7D548F9E43CBB895CA317CAE93402401F4A8DC835B1A1
                                          Malicious:false
                                          Reputation:low
                                          Preview:;o.... .......4.........gN;....{........................&....../...{..86...|..h.(.........................T.;....{..............................................................................................Y...........eJ......n........................................................................................................... ........+...{o..............................................................................................................................................................................................!...{....................................86...|...................U^86...|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\vunykblr

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                          Category:dropped
                                          Size (bytes):2
                                          Entropy (8bit):1.0
                                          Encrypted:false
                                          SSDEEP:3:Qn:Qn
                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:..

                                          Static File Info

                                          General

                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                          Entropy (8bit):7.218568267888465
                                          TrID:
                                          • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                          • Win64 Executable GUI (202006/5) 46.43%
                                          • Win64 Executable (generic) (12005/4) 2.76%
                                          • Generic Win/DOS Executable (2004/3) 0.46%
                                          • DOS Executable Generic (2002/1) 0.46%
                                          File name:Shipping documents PO 16103 INV.exe
                                          File size:2'672'640 bytes
                                          MD5:671423091cbffb473016291d68a5b49b
                                          SHA1:07f1a0c895fa372f6043fbf013b78321a6939193
                                          SHA256:31fdf75cd3cf71f770eb158141183b08ed0845b27ecd2e90ce20eb3c4e4642c0
                                          SHA512:23782fee548af5a284ac9d833041604a4e1965df0c7f7bad6f4eaa7c1f13a0712c2d3218b868c06cb7779df57ec2f79fdb1dcc1b9f951cda95fa095e925f486e
                                          SSDEEP:49152:Qg7eO7kjTav5AwVZGKY3uS+s1vm1lOt+2QpTay:F7lQfjQd
                                          TLSH:3AC5C015E3E802E4D47BD630CE699733D3B1B8591734E58B0A49D6862FB3A919B3F312
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$n.K$n.K$n.K...J-n.K...J(n.K...J.n.K-.*K*n.Ko..J-n.K$n.K.n.K...J/n.K...J`n.K$n.K%n.K7..J%n.K7.FK%n.K7..J%n.KRich$n.K.......

                                          File Icon

                                          Icon Hash:00928e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x140068ec0
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x140000000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66A2D06D [Thu Jul 25 22:23:41 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:6
                                          OS Version Minor:0
                                          File Version Major:6
                                          File Version Minor:0
                                          Subsystem Version Major:6
                                          Subsystem Version Minor:0
                                          Import Hash:fa79c8f1c618648f2275daa90f4c6120

                                          Entrypoint Preview

                                          Instruction
                                          dec eax
                                          sub esp, 28h
                                          call 00007FF4493E68E8h
                                          dec eax
                                          add esp, 28h
                                          jmp 00007FF4493E60C7h
                                          int3
                                          int3
                                          inc eax
                                          push ebx
                                          dec eax
                                          sub esp, 20h
                                          dec eax
                                          mov ebx, ecx
                                          jmp 00007FF4493E6261h
                                          dec eax
                                          mov ecx, ebx
                                          call 00007FF4493EDA41h
                                          test eax, eax
                                          je 00007FF4493E6265h
                                          dec eax
                                          mov ecx, ebx
                                          call 00007FF4493E5F77h
                                          dec eax
                                          test eax, eax
                                          je 00007FF4493E6239h
                                          dec eax
                                          add esp, 20h
                                          pop ebx
                                          ret
                                          dec eax
                                          cmp ebx, FFFFFFFFh
                                          je 00007FF4493E6258h
                                          call 00007FF4493E6D78h
                                          int3
                                          call 00007FF4493E6D92h
                                          int3
                                          jmp 00007FF4493E6DC0h
                                          int3
                                          int3
                                          int3
                                          jmp 00007FF4493E6308h
                                          int3
                                          int3
                                          int3
                                          dec eax
                                          sub esp, 28h
                                          dec ebp
                                          mov eax, dword ptr [ecx+38h]
                                          dec eax
                                          mov ecx, edx
                                          dec ecx
                                          mov edx, ecx
                                          call 00007FF4493E6262h
                                          mov eax, 00000001h
                                          dec eax
                                          add esp, 28h
                                          ret
                                          int3
                                          int3
                                          int3
                                          inc eax
                                          push ebx
                                          inc ebp
                                          mov ebx, dword ptr [eax]
                                          dec eax
                                          mov ebx, edx
                                          inc ecx
                                          and ebx, FFFFFFF8h
                                          dec esp
                                          mov ecx, ecx
                                          inc ecx
                                          test byte ptr [eax], 00000004h
                                          dec esp
                                          mov edx, ecx
                                          je 00007FF4493E6265h
                                          inc ecx
                                          mov eax, dword ptr [eax+08h]
                                          dec ebp
                                          arpl word ptr [eax+04h], dx
                                          neg eax
                                          dec esp
                                          add edx, ecx
                                          dec eax
                                          arpl ax, cx
                                          dec esp
                                          and edx, ecx
                                          dec ecx
                                          arpl bx, ax
                                          dec edx
                                          mov edx, dword ptr [eax+edx]
                                          dec eax
                                          mov eax, dword ptr [ebx+10h]
                                          mov ecx, dword ptr [eax+08h]
                                          dec eax
                                          mov eax, dword ptr [ebx+08h]
                                          test byte ptr [ecx+eax+03h], 0000000Fh
                                          je 00007FF4493E625Dh
                                          movzx eax, byte ptr [ecx+eax+00h]

                                          Rich Headers

                                          Programming Language:
                                          • [IMP] VS2008 SP1 build 30729

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x25ddf00x58.rdata
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25de480xdc.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2830000x79134.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x26f0000x138d8.pdata
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2fd0000x63c.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x22fd500x54.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x22ff800x28.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x22fc100x140.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x19b0000x730.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x710680x71200705ee70f681712f037648f64f7ff349bFalse0.45604713397790053data6.628875011573696IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .managed0x730000xc71b80xc72001a9720d8f2052361ee72792911e2998cFalse0.4527093632297552data6.455888936505785IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          hydrated0x13b0000x5f7600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rdata0x19b0000xc48260xc4a000285163004b3ed4388662c063763ad6aFalse0.4669707068499682data6.832398352911537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x2600000xe9100x22008fd33c392153ba6b562bd43642981136False0.24126838235294118data3.707086596297386IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .pdata0x26f0000x138d80x13a00085ea66cfd1057997a6929925deeaa33False0.488953025477707data6.138192127218323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x2830000x791340x792001cb9211dd0bdbe47f66fcc359c0c0f3eFalse0.9982564983230134data7.999258423963929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x2fd0000x63c0x800cca946f892ab4486af2246e58222b961False0.4814453125data4.783243091845513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          BINARY0x2831240x78a84data1.0003257711265612
                                          RT_VERSION0x2fbba80x3a0data0.3545258620689655
                                          RT_MANIFEST0x2fbf480x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          ADVAPI32.dllRegCloseKey, RegEnumValueW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteValueW, RegEnumKeyExW, RegFlushKey, RegQueryInfoKeyW, RegSetValueExW, CreateWellKnownSid, GetWindowsAccountDomainSid, LookupPrivilegeValueW, RevertToSelf, OpenThreadToken, OpenProcessToken, SetThreadToken, AdjustTokenPrivileges, DuplicateTokenEx, GetSecurityDescriptorLength, EventWrite, EventRegister, EventEnabled
                                          bcrypt.dllBCryptGenRandom, BCryptEncrypt, BCryptDecrypt, BCryptImportKey, BCryptOpenAlgorithmProvider, BCryptCloseAlgorithmProvider, BCryptDestroyKey, BCryptSetProperty
                                          KERNEL32.dllTlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, CloseThreadpoolIo, GetStdHandle, FileTimeToSystemTime, SystemTimeToFileTime, GetSystemTime, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, FindStringOrdinal, GetTickCount64, GetCurrentProcess, GetCurrentThread, Sleep, InitializeCriticalSection, InitializeConditionVariable, DeleteCriticalSection, LocalFree, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, WaitForMultipleObjectsEx, GetLastError, QueryPerformanceFrequency, SetLastError, GetFullPathNameW, GetLongPathNameW, MultiByteToWideChar, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, RaiseFailFastException, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CopyFileExW, CreateFileW, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, WriteFile, GetCurrentProcessorNumberEx, CloseHandle, SetEvent, ResetEvent, CreateEventExW, GetEnvironmentVariableW, FormatMessageW, DuplicateHandle, GetThreadPriority, SetThreadPriority, CreateProcessA, GetConsoleWindow, GetModuleHandleA, FreeConsole, AllocConsole, CreateProcessW, GetThreadContext, ExitProcess, FlushProcessWriteBuffers, GetCurrentThreadId, WaitForSingleObjectEx, VirtualQuery, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, TerminateProcess, SwitchToThread, CreateThread, SuspendThread, ResumeThread, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, GetCurrentProcessId
                                          ole32.dllCoUninitialize, CoTaskMemAlloc, CoGetApartmentType, CoCreateGuid, CoTaskMemFree, CoWaitForMultipleHandles, CoInitializeEx
                                          api-ms-win-crt-math-l1-1-0.dll__setusermatherr, ceil
                                          api-ms-win-crt-heap-l1-1-0.dllcalloc, free, _callnewh, _set_new_mode, malloc
                                          api-ms-win-crt-string-l1-1-0.dllwcsncmp, strncpy_s, _stricmp, strcpy_s, strcmp, _wcsicmp
                                          api-ms-win-crt-runtime-l1-1-0.dll_c_exit, _register_thread_local_exe_atexit_callback, _get_initial_wide_environment, _cexit, __p___wargv, __p___argc, _exit, exit, _initterm_e, _initterm, terminate, _crt_atexit, _initialize_wide_environment, _register_onexit_function, _initialize_onexit_table, _configure_wide_argv, _set_app_type, _seh_filter_exe, abort
                                          api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf_s, __stdio_common_vsscanf, __stdio_common_vfprintf, __acrt_iob_func, _set_fmode, __p__commode
                                          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                          Exports

                                          NameOrdinalAddress
                                          DotNetRuntimeDebugHeader10x140261360

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                          2024-07-26T23:58:58.003146+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response5249949710178.23.190.118192.168.2.6
                                          2024-07-26T23:54:58.863658+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa4971280192.168.2.6178.237.33.50
                                          2024-07-26T23:55:14.692707+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971520.114.59.183192.168.2.6
                                          2024-07-26T23:56:57.970794+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response5249949710178.23.190.118192.168.2.6
                                          2024-07-26T23:54:57.593214+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response5249949710178.23.190.118192.168.2.6
                                          2024-07-26T23:55:52.583949+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972220.114.59.183192.168.2.6
                                          2024-07-26T23:54:56.646492+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin4971052499192.168.2.6178.23.190.118

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 26, 2024 23:54:53.455127001 CEST49674443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:54:53.455210924 CEST49673443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:54:53.783246040 CEST49672443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:54:56.639914989 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:56.644985914 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:56.645358086 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:56.646492004 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:56.653248072 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:57.593214035 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:57.594691992 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:57.599705935 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:57.720834017 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:57.740443945 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:57.745395899 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:57.747663021 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:57.747663021 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:57.752516985 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:57.767559052 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:57.925501108 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:57.928040981 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:57.933018923 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.245755911 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:54:58.250622988 CEST8049712178.237.33.50192.168.2.6
                                          Jul 26, 2024 23:54:58.250689030 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:54:58.250808954 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:54:58.255769968 CEST8049712178.237.33.50192.168.2.6
                                          Jul 26, 2024 23:54:58.354537964 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.354829073 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.354845047 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.355304003 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.357075930 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.357090950 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.357196093 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.359703064 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.359718084 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.359946012 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.362397909 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.362418890 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.362492085 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.364954948 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.364970922 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.364984989 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.364999056 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.365144014 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.365144014 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.443048954 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.443578959 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.443617105 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.443978071 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.445791006 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.445996046 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.448435068 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.448450089 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.448535919 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.449729919 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.451060057 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.451134920 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.453160048 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.453176022 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.453264952 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.455962896 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.455976963 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.455991030 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.456093073 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.457860947 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.457876921 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.457920074 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.460674047 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.460689068 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.460927010 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.462702990 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.462723017 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.462824106 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.465635061 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.465651989 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.465666056 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.465723991 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.465723991 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.505212069 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.505779028 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.505938053 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.506073952 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.506951094 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.507015944 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.531493902 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.532033920 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.532068014 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.532617092 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.534007072 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.535749912 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.537143946 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.537159920 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.538304090 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.538319111 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.539664030 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.539664030 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.540515900 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.541968107 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.541982889 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.543634892 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.544511080 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.546756029 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.546771049 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.547662973 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.547662973 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.547966003 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.547981024 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.548506021 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.551667929 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.551682949 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.552506924 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.553284883 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.553299904 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.553344011 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.556847095 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.556863070 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.556909084 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.558074951 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.558095932 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.558140039 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.561661005 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.561677933 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.561691046 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.561722994 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.562880993 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.562896013 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.562980890 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.566417933 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.566432953 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.566612959 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.567663908 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.567684889 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.567820072 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.570024967 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.570040941 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.570055008 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.570162058 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.570162058 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.572412968 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.572429895 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.572523117 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.581202984 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.581995964 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.582046032 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.582102060 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.583652973 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.583669901 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.584384918 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.585685015 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.585700035 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.585755110 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.593962908 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.594736099 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.594739914 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.595375061 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.595391989 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.595439911 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.596725941 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.596740961 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.597023964 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.619925022 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.620012045 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.620465040 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.620553970 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.620882988 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.622195959 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.622211933 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.622265100 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.624305964 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.624321938 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.624377012 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.625585079 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.625600100 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.625708103 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.627715111 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.627728939 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.627799034 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.629837036 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.629852057 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.629908085 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.631508112 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.631522894 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.631596088 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.633212090 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.633227110 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.633239985 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.633291960 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.634929895 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.634946108 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.634994984 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.636617899 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.636632919 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.636692047 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.638310909 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.638328075 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.638380051 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.639846087 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.639861107 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.639878988 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.640012026 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.640012980 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.641356945 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.641372919 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.641432047 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.642792940 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.642810106 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.642858982 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.644215107 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.644229889 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.644289970 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.645643950 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.645659924 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.645739079 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.647022963 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.647037983 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.647052050 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.647102118 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.648386002 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.648401976 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.648453951 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.649755955 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.649772882 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.649830103 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.651073933 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.651089907 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.651169062 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.652354956 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.652371883 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.652384996 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.652510881 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.652510881 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.653587103 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.653601885 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.653649092 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.654776096 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.654792070 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.654879093 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.655946970 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.655961990 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.655976057 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.656023979 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.657040119 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.657093048 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.657553911 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.657568932 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.657618046 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.658277035 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.658292055 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.658341885 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.659322977 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.671644926 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.671705961 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.671977043 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.671993017 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.672130108 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.672604084 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.672621012 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.672681093 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.673525095 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.673540115 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.673604012 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.674360037 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.674375057 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.674424887 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.675225019 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.675240040 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.675254107 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.675267935 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.675342083 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.675342083 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.682490110 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.682708979 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.682723999 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.682775974 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.683676958 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.683783054 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.684175014 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.684190035 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.684238911 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.685028076 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.685045004 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.685094118 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.686273098 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.686288118 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.686338902 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.708283901 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.708947897 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.708998919 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.709074020 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.709481955 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.709532976 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.709765911 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.710505962 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.710520983 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.710572958 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.711386919 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.711402893 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.711452961 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.712470055 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.712500095 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.712517977 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.713572025 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.713587046 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.713639021 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.714673042 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.714688063 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.714703083 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.714751959 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.714751959 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.715732098 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.715747118 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.715797901 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.716603994 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.716620922 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.716670036 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.717499971 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.717515945 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.717565060 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.718394041 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.718410015 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.718424082 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.718471050 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.719218016 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.719233036 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.719280005 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.720078945 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.720098972 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.720150948 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.720972061 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.720988035 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.721039057 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.721833944 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.721848965 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.721898079 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.722742081 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.722757101 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.722769976 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.722830057 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.722830057 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.723531008 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.723546028 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.723596096 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.724306107 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.724320889 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.724395990 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.725080967 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.725096941 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.725142002 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.725842953 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.725857973 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.725872040 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.725943089 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.726608038 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.726624012 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.726689100 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.727349043 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.727365017 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.727397919 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.728106976 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.728121996 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.728149891 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.728873014 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.728888988 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.728918076 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.729513884 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.729543924 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.729562044 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.729585886 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.729635000 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.730243921 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.730259895 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.730431080 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.730942011 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.730957031 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.731635094 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.731651068 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.731899023 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.731899023 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.732309103 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.732325077 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.732338905 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.732378006 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.733010054 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.733026028 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.733053923 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.733668089 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.733683109 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.733696938 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.733721972 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.733771086 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.734680891 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.734698057 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.734713078 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.734775066 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.735652924 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.735667944 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.735682011 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.735694885 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.735708952 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.735733986 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.735734940 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.735845089 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.736594915 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.736610889 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.736624002 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.736649990 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.737462044 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.737483978 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.737498999 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.737523079 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.737572908 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.758740902 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.758944035 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.758954048 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.759035110 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.759474993 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.759485006 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.759495020 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.759540081 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.759540081 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.760432005 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.760442972 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.760508060 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.761054039 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.761064053 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.761073112 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.761121988 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.761910915 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.761920929 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.761929989 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.761991024 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.771404028 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.771534920 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.771569967 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.771657944 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.772053957 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.772064924 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.772212982 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.772567987 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.772579908 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.772625923 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.796808004 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.796904087 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.797044039 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.797081947 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.797133923 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.797400951 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.797435999 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.797518015 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.797952890 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.797961950 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.797971010 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.798010111 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.798624992 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.798634052 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.798641920 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.798676968 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.799555063 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.799563885 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.799572945 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.799622059 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.800513029 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.800523043 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.800530910 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.800539017 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.800676107 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.800676107 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.801512003 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.801521063 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.801529884 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.801537991 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.802463055 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.802473068 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.802476883 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.802488089 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.802488089 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.802606106 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.803462029 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.803472042 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.803478956 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.803563118 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.804411888 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.804420948 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.804429054 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.804441929 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.804492950 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.804492950 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.805216074 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.805224895 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.805233955 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.805277109 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.805277109 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.806024075 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.806034088 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.806041956 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.806081057 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.806848049 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.806857109 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.806864023 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.806871891 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.806921959 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.806921959 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.807594061 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.807602882 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.807612896 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.807658911 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.807658911 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.808351040 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.808361053 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.808368921 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.808419943 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.809144974 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.809154987 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.809163094 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.809171915 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.809210062 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.809210062 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.809927940 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.809937954 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.809947014 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.810071945 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.810071945 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.810702085 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.810712099 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.810719967 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.810770035 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.811434031 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.811444044 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.811453104 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.811461926 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.811471939 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.811517000 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.811517000 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.811517000 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.812387943 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.812397957 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.812407017 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.812416077 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.812463045 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.812463045 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.813333988 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.813344002 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.813353062 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.813363075 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.813371897 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.813438892 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.813438892 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.814304113 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.814313889 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.814322948 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.814332008 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.814390898 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.814390898 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.815231085 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.815241098 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.815249920 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.815263987 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.815274000 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.815325975 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.815325975 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.815325975 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.816097975 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.816107988 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.816163063 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.820743084 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.820848942 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.820861101 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.820939064 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.821228981 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.821239948 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.821249008 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.821259022 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.821279049 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.821321964 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.846662045 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.846718073 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.846755981 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.846829891 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.847083092 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.847090960 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.847099066 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.847121000 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.847121000 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.847696066 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.847706079 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.848263979 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.848272085 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.848314047 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.848314047 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.848500013 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.848541975 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.848561049 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.848570108 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.848577023 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.848613977 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.849359989 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.850444078 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.861324072 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.861332893 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.861341953 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.861387014 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.861423969 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.861433029 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.861442089 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.861450911 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.861505985 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.861505985 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.863509893 CEST8049712178.237.33.50192.168.2.6
                                          Jul 26, 2024 23:54:58.863657951 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:54:58.876220942 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.883562088 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.886015892 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.886068106 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.886142015 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.886152029 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.886198997 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.886594057 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.886603117 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.886610985 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.886624098 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.886646032 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.886687994 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.887475967 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.887484074 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.887491941 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.887500048 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.887517929 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.887558937 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.888497114 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.888506889 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.888514996 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.888525009 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.888557911 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.888557911 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.889384031 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.889394045 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.889400959 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.889410019 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.889419079 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.889924049 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.889924049 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.890332937 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.890341997 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.890346050 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.890352964 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.890386105 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.891288996 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.891298056 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.891305923 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.891319990 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.891328096 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.891346931 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.891346931 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.891366005 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.892241001 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.892251968 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.892261028 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:54:58.892283916 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:58.939421892 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:54:59.864226103 CEST8049712178.237.33.50192.168.2.6
                                          Jul 26, 2024 23:54:59.864295006 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:55:00.040076971 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:55:00.045429945 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045496941 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045507908 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:55:00.045556068 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:55:00.045589924 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045619011 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045640945 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:55:00.045648098 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045660973 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:55:00.045682907 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045711040 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045739889 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045767069 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.045793056 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.050782919 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.050852060 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.050879002 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.050930023 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.050977945 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.051004887 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.051423073 CEST5249949711178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:00.051628113 CEST4971152499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:55:03.064580917 CEST49674443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:03.064580917 CEST49673443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:03.392551899 CEST49672443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:05.074122906 CEST44349705173.222.162.64192.168.2.6
                                          Jul 26, 2024 23:55:05.074253082 CEST49705443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:14.887852907 CEST49705443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:14.887975931 CEST49705443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:14.888467073 CEST49718443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:14.888578892 CEST44349718173.222.162.64192.168.2.6
                                          Jul 26, 2024 23:55:14.888650894 CEST49718443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:14.889215946 CEST49718443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:14.889252901 CEST44349718173.222.162.64192.168.2.6
                                          Jul 26, 2024 23:55:14.894097090 CEST44349705173.222.162.64192.168.2.6
                                          Jul 26, 2024 23:55:14.894160986 CEST44349705173.222.162.64192.168.2.6
                                          Jul 26, 2024 23:55:15.507836103 CEST44349718173.222.162.64192.168.2.6
                                          Jul 26, 2024 23:55:15.507953882 CEST49718443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:27.928793907 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:27.930524111 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:55:27.935556889 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:34.666237116 CEST44349718173.222.162.64192.168.2.6
                                          Jul 26, 2024 23:55:34.670183897 CEST49718443192.168.2.6173.222.162.64
                                          Jul 26, 2024 23:55:57.942143917 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:55:57.949877977 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:55:57.955097914 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:56:27.957743883 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:56:27.959434032 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:56:27.969214916 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:56:48.205437899 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:56:48.546958923 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:56:49.236577034 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:56:50.439646959 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:56:52.895802021 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:56:57.795938969 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:56:57.970793962 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:56:57.972520113 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:56:57.977618933 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:57:07.404397011 CEST4971280192.168.2.6178.237.33.50
                                          Jul 26, 2024 23:57:28.033643007 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:57:28.035223007 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:57:28.040258884 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:57:58.001110077 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:57:58.004481077 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:57:58.010135889 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:58:28.004518986 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:58:28.013636112 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:58:28.019378901 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:58:58.003145933 CEST5249949710178.23.190.118192.168.2.6
                                          Jul 26, 2024 23:58:58.004750967 CEST4971052499192.168.2.6178.23.190.118
                                          Jul 26, 2024 23:58:58.009849072 CEST5249949710178.23.190.118192.168.2.6

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 26, 2024 23:54:58.228410006 CEST5153553192.168.2.61.1.1.1
                                          Jul 26, 2024 23:54:58.239778042 CEST53515351.1.1.1192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 26, 2024 23:54:58.228410006 CEST192.168.2.61.1.1.10x73b4Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 26, 2024 23:54:58.239778042 CEST1.1.1.1192.168.2.60x73b4No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                          Jul 26, 2024 23:55:14.145265102 CEST1.1.1.1192.168.2.60xb8d6No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                          Jul 26, 2024 23:55:14.145265102 CEST1.1.1.1192.168.2.60xb8d6No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                          Jul 26, 2024 23:55:15.538867950 CEST1.1.1.1192.168.2.60xdf03No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Jul 26, 2024 23:55:15.538867950 CEST1.1.1.1192.168.2.60xdf03No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • geoplugin.net

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.649712178.237.33.50803212C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 23:54:58.250808954 CEST71OUTGET /json.gp HTTP/1.1
                                          Host: geoplugin.net
                                          Cache-Control: no-cache
                                          Jul 26, 2024 23:54:58.863509893 CEST1170INHTTP/1.1 200 OK
                                          date: Fri, 26 Jul 2024 21:54:58 GMT
                                          server: Apache
                                          content-length: 962
                                          content-type: application/json; charset=utf-8
                                          cache-control: public, max-age=300
                                          access-control-allow-origin: *
                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                          Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:17:54:54
                                          Start date:26/07/2024
                                          Path:C:\Users\user\Desktop\Shipping documents PO 16103 INV.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\Shipping documents PO 16103 INV.exe"
                                          Imagebase:0x7ff694860000
                                          File size:2'672'640 bytes
                                          MD5 hash:671423091CBFFB473016291D68A5B49B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2097424848.0000021724562000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:17:54:54
                                          Start date:26/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff66e660000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:17:54:55
                                          Start date:26/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                          Wow64 process (32bit):
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                                          Imagebase:
                                          File size:262'432 bytes
                                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:4
                                          Start time:17:54:55
                                          Start date:26/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                          Imagebase:0xb70000
                                          File size:43'008 bytes
                                          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4543318604.0000000001077000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4544415649.0000000002DDE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4543419260.00000000010C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:6
                                          Start time:17:54:57
                                          Start date:26/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\vunykblr"
                                          Imagebase:0x7d0000
                                          File size:43'008 bytes
                                          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:17:54:57
                                          Start date:26/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"
                                          Imagebase:0x340000
                                          File size:43'008 bytes
                                          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:17:54:57
                                          Start date:26/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\xosqltwlown"
                                          Imagebase:0x9e0000
                                          File size:43'008 bytes
                                          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:17:54:57
                                          Start date:26/07/2024
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\user\AppData\Local\Temp\hqgjmdgmcefhebf"
                                          Imagebase:0xb90000
                                          File size:43'008 bytes
                                          MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:6.2%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:25.8%
                                            Total number of Nodes:919
                                            Total number of Limit Nodes:33
                                            execution_graph 15541 7ff694890750 15542 7ff69489078d 15541->15542 15544 7ff6948907b7 15541->15544 15545 7ff694872080 15542->15545 15546 7ff6948720b7 GetCurrentProcess 15545->15546 15547 7ff69487216f GlobalMemoryStatusEx 15545->15547 15548 7ff6948720d0 15546->15548 15549 7ff6948720d8 15547->15549 15548->15547 15548->15549 15552 7ff6948c8fb0 15549->15552 15554 7ff6948c8fb9 15552->15554 15553 7ff694872248 15553->15544 15554->15553 15555 7ff6948c9abc IsProcessorFeaturePresent 15554->15555 15556 7ff6948c9ad4 15555->15556 15561 7ff6948c9b90 RtlCaptureContext 15556->15561 15562 7ff6948c9baa RtlLookupFunctionEntry 15561->15562 15563 7ff6948c9bc0 RtlVirtualUnwind 15562->15563 15564 7ff6948c9ae7 15562->15564 15563->15562 15563->15564 15565 7ff6948c9a88 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15564->15565 15566 7ff69487df5b 15570 7ff69489ea80 15566->15570 15568 7ff69487df33 15568->15568 15569 7ff69489ea80 6 API calls 15568->15569 15569->15568 15573 7ff69487abf0 15570->15573 15572 7ff69489eab8 15572->15568 15574 7ff69487ac47 15573->15574 15579 7ff69487affa 15574->15579 15581 7ff69489e8f0 15574->15581 15577 7ff69487af31 15577->15579 15593 7ff694882680 15577->15593 15579->15572 15580 7ff69487ad45 _swprintf_c_l 15580->15577 15589 7ff694891840 15580->15589 15582 7ff69489e909 15581->15582 15586 7ff69489e919 15581->15586 15582->15580 15583 7ff69489ea4b SwitchToThread 15583->15586 15584 7ff69489e969 SwitchToThread 15584->15586 15585 7ff69489ea57 15585->15580 15586->15583 15586->15584 15586->15585 15587 7ff69489ea07 SwitchToThread 15586->15587 15588 7ff69489ea1c SwitchToThread 15586->15588 15587->15586 15588->15586 15590 7ff69489185f 15589->15590 15592 7ff6948918ca _swprintf_c_l 15589->15592 15590->15592 15598 7ff694872bd0 VirtualAlloc 15590->15598 15592->15577 15594 7ff694891840 2 API calls 15593->15594 15595 7ff6948826b5 _swprintf_c_l 15594->15595 15596 7ff69489e8f0 4 API calls 15595->15596 15597 7ff694882805 15596->15597 15597->15579 15597->15597 15599 7ff694872c1c 15598->15599 15600 7ff694872c0b 15598->15600 15599->15592 15600->15599 15601 7ff694872c10 VirtualUnlock 15600->15601 15601->15599 15602 7ff69487b118 15603 7ff69487b170 15602->15603 15604 7ff69487b11d 15602->15604 15612 7ff69488d950 15603->15612 15605 7ff69489e8f0 4 API calls 15604->15605 15607 7ff69487b21a 15605->15607 15608 7ff69487b245 15607->15608 15609 7ff694891840 2 API calls 15607->15609 15610 7ff694882680 6 API calls 15608->15610 15609->15608 15611 7ff69487b2b0 15610->15611 15615 7ff69488d966 15612->15615 15613 7ff69488d997 15613->15604 15614 7ff69488da00 15620 7ff6948a04d0 15614->15620 15615->15613 15615->15614 15631 7ff69486e020 15615->15631 15619 7ff69486e020 4 API calls 15619->15613 15621 7ff6948a0595 15620->15621 15622 7ff6948a0509 EnterCriticalSection 15620->15622 15623 7ff69488da29 15621->15623 15637 7ff694872930 15621->15637 15626 7ff6948a0529 LeaveCriticalSection 15622->15626 15623->15613 15623->15619 15625 7ff6948a05c6 15625->15623 15628 7ff6948a05d7 EnterCriticalSection 15625->15628 15626->15621 15629 7ff6948a05f6 15628->15629 15630 7ff6948a05fd LeaveCriticalSection 15628->15630 15629->15630 15630->15623 15632 7ff69486e0cc 15631->15632 15634 7ff69486e05b 15631->15634 15632->15614 15634->15632 15636 7ff69486e094 15634->15636 15640 7ff69486dd40 15634->15640 15636->15632 15648 7ff69486e0e0 15636->15648 15638 7ff69487294b VirtualAlloc 15637->15638 15639 7ff69487296e GetCurrentProcess VirtualAllocExNuma 15637->15639 15638->15625 15639->15625 15643 7ff69486dd64 15640->15643 15645 7ff69486ddf8 15643->15645 15652 7ff6948c8fd0 15643->15652 15644 7ff6948c8fd0 _swprintf_c_l 3 API calls 15644->15645 15647 7ff69486de85 ISource 15645->15647 15655 7ff69486aea0 GetCurrentThreadId 15645->15655 15647->15636 15649 7ff69486e135 15648->15649 15651 7ff69486e13c 15648->15651 15678 7ff69486db70 15649->15678 15651->15632 15656 7ff6948c8ed4 15652->15656 15655->15647 15657 7ff6948c8eee malloc 15656->15657 15658 7ff69486ddcd 15657->15658 15659 7ff6948c8edf 15657->15659 15658->15644 15658->15647 15659->15657 15660 7ff6948c8efe 15659->15660 15661 7ff6948c8f09 15660->15661 15665 7ff6948c9a2c 15660->15665 15669 7ff6948c9a4c 15661->15669 15666 7ff6948c9a3a std::bad_alloc::bad_alloc 15665->15666 15673 7ff6948ca8e0 15666->15673 15668 7ff6948c9a4b 15670 7ff6948c9a5a std::bad_alloc::bad_alloc 15669->15670 15671 7ff6948ca8e0 Concurrency::cancel_current_task 2 API calls 15670->15671 15672 7ff6948c8f0f 15671->15672 15674 7ff6948ca8ff 15673->15674 15675 7ff6948ca94a RaiseException 15674->15675 15676 7ff6948ca928 RtlPcToFileHeader 15674->15676 15675->15668 15677 7ff6948ca940 15676->15677 15677->15675 15680 7ff69486db9a _swprintf_c_l 15678->15680 15679 7ff69486dbc1 15679->15651 15680->15679 15681 7ff6948c8fd0 _swprintf_c_l 3 API calls 15680->15681 15681->15679 15682 7ff694878602 15683 7ff694878608 15682->15683 15706 7ff694889420 15683->15706 15686 7ff694878644 15710 7ff694872880 QueryPerformanceCounter 15686->15710 15689 7ff694878662 15711 7ff69486a4d0 15689->15711 15691 7ff6948787a5 15696 7ff6948786c5 15691->15696 15727 7ff69488a150 15691->15727 15695 7ff6948787ea 15695->15696 15697 7ff69488d950 11 API calls 15695->15697 15698 7ff6948789d0 15696->15698 15703 7ff694878954 15696->15703 15748 7ff694872880 QueryPerformanceCounter 15696->15748 15697->15696 15699 7ff694889420 SwitchToThread 15698->15699 15702 7ff6948789db 15699->15702 15705 7ff6948789fe 15702->15705 15757 7ff6948728d0 SetEvent 15702->15757 15749 7ff69486a170 15703->15749 15707 7ff694878626 15706->15707 15708 7ff69488943f 15706->15708 15707->15686 15721 7ff6948728c0 ResetEvent 15707->15721 15708->15707 15709 7ff694889481 SwitchToThread 15708->15709 15709->15708 15710->15689 15712 7ff69486a4e5 15711->15712 15716 7ff69486a548 15712->15716 15766 7ff69486ae00 EventEnabled 15712->15766 15714 7ff69486a51f 15714->15716 15767 7ff69486a690 EventWrite 15714->15767 15758 7ff694865140 15716->15758 15719 7ff69486a59c 15719->15691 15719->15696 15722 7ff694889650 15719->15722 15726 7ff694889670 15722->15726 15723 7ff69488d950 11 API calls 15723->15726 15724 7ff6948896da 15724->15691 15726->15723 15726->15724 15785 7ff69488d200 15726->15785 15731 7ff69488a165 15727->15731 15728 7ff69488a24d 15729 7ff69487d210 24 API calls 15728->15729 15734 7ff69488a25f 15729->15734 15730 7ff69488a264 15732 7ff69488e7a0 2 API calls 15730->15732 15731->15728 15731->15730 15744 7ff69488a169 15731->15744 15733 7ff69488a28a 15732->15733 15733->15734 15735 7ff69488a2a1 EnterCriticalSection LeaveCriticalSection 15733->15735 15736 7ff694883f10 7 API calls 15734->15736 15740 7ff69488a300 15734->15740 15734->15744 15735->15734 15738 7ff69488a2e6 15736->15738 15737 7ff69488a3a8 DebugBreak 15739 7ff69488a3b7 15737->15739 15738->15740 15741 7ff69488a2ea 15738->15741 15739->15744 15746 7ff69488a3cb DebugBreak 15739->15746 15740->15737 15743 7ff69488a36b DebugBreak 15740->15743 15745 7ff69488a388 DebugBreak 15740->15745 15747 7ff69488a39f 15740->15747 15742 7ff694886690 5 API calls 15741->15742 15742->15744 15743->15740 15744->15695 15745->15740 15746->15744 15747->15737 15747->15739 15748->15703 15750 7ff69486a17d 15749->15750 15754 7ff69486a1af 15749->15754 15904 7ff69486ae00 EventEnabled 15750->15904 15752 7ff69486a190 15752->15754 15905 7ff69486a640 EventWrite 15752->15905 15755 7ff69486a1fe 15754->15755 15908 7ff69486ae00 EventEnabled 15754->15908 15755->15698 15759 7ff69486517f 15758->15759 15760 7ff6948651a4 FlushProcessWriteBuffers 15759->15760 15761 7ff6948651d0 15760->15761 15762 7ff6948652a3 15761->15762 15764 7ff69486523e SwitchToThread 15761->15764 15765 7ff694865209 15761->15765 15762->15719 15770 7ff69486ae00 EventEnabled 15762->15770 15764->15761 15765->15761 15771 7ff694865ea0 15765->15771 15766->15714 15768 7ff6948c8fb0 8 API calls 15767->15768 15769 7ff69486a6fa 15768->15769 15769->15716 15770->15719 15772 7ff694865ec7 15771->15772 15773 7ff694865ea7 15771->15773 15772->15765 15773->15772 15774 7ff69486af22 LoadLibraryExW GetProcAddress 15773->15774 15782 7ff69486af4e 15773->15782 15774->15782 15775 7ff69486afaa SuspendThread 15776 7ff69486aff8 15775->15776 15777 7ff69486afb8 GetThreadContext 15775->15777 15780 7ff6948c8fb0 8 API calls 15776->15780 15778 7ff69486afd2 15777->15778 15779 7ff69486afef ResumeThread 15777->15779 15778->15779 15779->15776 15781 7ff69486b008 15780->15781 15781->15765 15782->15775 15782->15776 15783 7ff69486af94 GetLastError 15782->15783 15783->15776 15784 7ff69486af9f 15783->15784 15784->15775 15795 7ff69488d0a0 15785->15795 15787 7ff69488d211 15788 7ff69488d2f6 DebugBreak 15787->15788 15789 7ff69488d2b9 DebugBreak 15787->15789 15791 7ff69488d2d6 DebugBreak 15787->15791 15792 7ff69488d328 15787->15792 15793 7ff69488d2ed 15787->15793 15790 7ff69488d305 15788->15790 15789->15787 15790->15792 15794 7ff69488d319 DebugBreak 15790->15794 15791->15787 15792->15726 15793->15788 15793->15790 15794->15792 15800 7ff69488d0c2 15795->15800 15796 7ff69488d115 15806 7ff69487d210 15796->15806 15798 7ff69488d130 15813 7ff69488e7a0 15798->15813 15799 7ff69488d128 15802 7ff69488d1e5 15799->15802 15819 7ff69488f550 15799->15819 15800->15796 15800->15798 15802->15787 15805 7ff69488d1a2 EnterCriticalSection LeaveCriticalSection 15805->15799 15807 7ff69487d239 15806->15807 15811 7ff69487d367 15807->15811 15838 7ff694894c30 15807->15838 15809 7ff69487d4ef 15809->15799 15811->15809 15842 7ff694891660 15811->15842 15812 7ff69487d516 15812->15799 15815 7ff69488e7d1 15813->15815 15814 7ff69488d152 15814->15799 15814->15805 15815->15814 15816 7ff69488e94f DebugBreak 15815->15816 15817 7ff69488e954 15815->15817 15816->15817 15817->15814 15818 7ff69488e960 DebugBreak 15817->15818 15818->15814 15820 7ff69488f605 15819->15820 15821 7ff69488f569 15819->15821 15820->15802 15871 7ff694883f10 15821->15871 15823 7ff69488f5eb 15825 7ff694886690 5 API calls 15823->15825 15827 7ff69488f5f8 15825->15827 15826 7ff69488f58c 15828 7ff69488f5ce 15826->15828 15829 7ff69488f591 15826->15829 15827->15802 15832 7ff694886690 5 API calls 15828->15832 15830 7ff69488f5b1 15829->15830 15831 7ff69488f596 15829->15831 15834 7ff694886690 5 API calls 15830->15834 15877 7ff694886690 15831->15877 15835 7ff69488f5de 15832->15835 15837 7ff69488f5c1 15834->15837 15835->15802 15836 7ff69488f5a4 15836->15802 15837->15802 15840 7ff694894c49 15838->15840 15841 7ff694894c94 15838->15841 15840->15841 15856 7ff69488fae0 15840->15856 15841->15811 15843 7ff69489168d 15842->15843 15844 7ff6948916e3 EnterCriticalSection 15843->15844 15848 7ff694891767 15843->15848 15845 7ff694891700 15844->15845 15846 7ff6948917b1 LeaveCriticalSection 15845->15846 15850 7ff694891745 LeaveCriticalSection 15845->15850 15852 7ff6948917bd 15846->15852 15847 7ff6948917c1 15849 7ff69488e7a0 2 API calls 15847->15849 15848->15847 15851 7ff694872930 3 API calls 15848->15851 15849->15852 15850->15848 15853 7ff69489178d 15851->15853 15852->15812 15853->15847 15854 7ff694891791 15853->15854 15854->15852 15855 7ff69489179b EnterCriticalSection 15854->15855 15855->15846 15860 7ff69488fb0e 15856->15860 15857 7ff69488fb18 15858 7ff6948c8fb0 8 API calls 15857->15858 15859 7ff69488ffab 15858->15859 15859->15840 15860->15857 15861 7ff69488fec3 EnterCriticalSection 15860->15861 15862 7ff694872930 3 API calls 15860->15862 15863 7ff69488fef0 LeaveCriticalSection 15860->15863 15864 7ff69488ffe1 LeaveCriticalSection 15860->15864 15865 7ff69488ffb7 15860->15865 15861->15860 15861->15863 15862->15860 15863->15860 15867 7ff69488ffed 15864->15867 15866 7ff69488ffc0 EnterCriticalSection 15865->15866 15865->15867 15866->15864 15867->15857 15869 7ff694890025 EnterCriticalSection LeaveCriticalSection 15867->15869 15870 7ff6948729c0 VirtualFree 15867->15870 15869->15867 15870->15867 15872 7ff694883f50 15871->15872 15875 7ff694883fd4 15871->15875 15872->15875 15885 7ff694883e10 15872->15885 15875->15820 15875->15823 15875->15826 15876 7ff694883e10 7 API calls 15876->15875 15878 7ff6948866c7 15877->15878 15880 7ff6948866e9 _swprintf_c_l 15878->15880 15895 7ff6948a0630 15878->15895 15881 7ff6948867d0 15880->15881 15902 7ff6948729c0 VirtualFree 15880->15902 15881->15836 15883 7ff694886795 15883->15881 15884 7ff6948867a3 EnterCriticalSection LeaveCriticalSection 15883->15884 15884->15881 15886 7ff694883e53 EnterCriticalSection 15885->15886 15887 7ff694883ea1 15885->15887 15888 7ff694883e7d LeaveCriticalSection 15886->15888 15889 7ff694883e70 15886->15889 15890 7ff694872930 3 API calls 15887->15890 15888->15887 15889->15888 15891 7ff694883ee1 LeaveCriticalSection 15889->15891 15892 7ff694883eb2 15890->15892 15893 7ff694883eed 15891->15893 15892->15893 15894 7ff694883ec0 EnterCriticalSection 15892->15894 15893->15875 15893->15876 15894->15891 15903 7ff6948729c0 VirtualFree 15895->15903 15897 7ff6948a064a 15898 7ff6948a0694 15897->15898 15899 7ff6948a065b EnterCriticalSection 15897->15899 15898->15880 15900 7ff6948a067e 15899->15900 15901 7ff6948a0685 LeaveCriticalSection 15899->15901 15900->15901 15901->15898 15902->15883 15903->15897 15904->15752 15906 7ff6948c8fb0 8 API calls 15905->15906 15907 7ff69486a689 15906->15907 15907->15754 15908->15755 15909 7ff694869500 15910 7ff69486951f 15909->15910 15911 7ff694869542 15910->15911 15921 7ff69486b2e0 CreateThread 15910->15921 15913 7ff694869534 15914 7ff69486953d 15913->15914 15915 7ff694869549 15913->15915 15924 7ff69486fc10 15914->15924 15928 7ff69486fcf0 15915->15928 15918 7ff694869559 15919 7ff69486fc10 CloseHandle 15918->15919 15920 7ff694869563 15919->15920 15922 7ff69486b309 FindCloseChangeNotification 15921->15922 15923 7ff69486b304 15921->15923 15922->15913 15923->15913 15925 7ff69486fc34 15924->15925 15926 7ff69486fc1f 15924->15926 15925->15911 15926->15925 15927 7ff69486fc28 CloseHandle 15926->15927 15927->15925 15929 7ff69486fd1d 15928->15929 15932 7ff69486fd77 15928->15932 15930 7ff69486fd9e 15929->15930 15933 7ff69486fd58 15929->15933 15931 7ff69486ad00 4 API calls 15930->15931 15931->15932 15932->15918 15935 7ff69486ad00 15933->15935 15936 7ff69486ad3c SetLastError CoWaitForMultipleHandles 15935->15936 15937 7ff69486ad25 WaitForMultipleObjectsEx 15935->15937 15938 7ff69486ad6a 15936->15938 15939 7ff69486ad7e 15936->15939 15937->15939 15938->15939 15940 7ff69486ad6e SetLastError 15938->15940 15939->15932 15940->15939 15941 7ff69486fe40 15942 7ff69486fe5a 15941->15942 15943 7ff69486fe65 15941->15943 15944 7ff69486fe92 VirtualAlloc 15943->15944 15949 7ff69486fee6 15943->15949 15945 7ff69486fecd 15944->15945 15944->15949 15946 7ff6948c8fd0 _swprintf_c_l 3 API calls 15945->15946 15947 7ff69486fede 15946->15947 15948 7ff69486ff31 VirtualFree 15947->15948 15947->15949 15948->15949 15950 7ff694869480 15951 7ff694869498 15950->15951 15952 7ff69486949f 15950->15952 15960 7ff694864cc0 15951->15960 15966 7ff6948662a0 15952->15966 15955 7ff6948694bc 15975 7ff69486fcc0 15955->15975 15957 7ff6948694cc 15978 7ff69486e1d0 15957->15978 15961 7ff694864ced 15960->15961 15965 7ff694864d0b 15961->15965 15984 7ff69486acc0 FlsGetValue 15961->15984 15963 7ff694864d03 15964 7ff694865920 6 API calls 15963->15964 15964->15965 15965->15952 15967 7ff694866366 15966->15967 15968 7ff6948662b8 GetCurrentThreadId GetCurrentProcess GetCurrentThread DuplicateHandle 15966->15968 15967->15955 15987 7ff69486aa30 VirtualQuery 15968->15987 15971 7ff69486633a RaiseFailFastException 15972 7ff694866347 15971->15972 15989 7ff69486dcc0 15972->15989 15974 7ff69486634f 15974->15955 15976 7ff69486fcca 15975->15976 15977 7ff69486fcd1 SetEvent 15975->15977 15976->15957 15977->15957 15980 7ff69486e20a 15978->15980 15982 7ff69486e22f _swprintf_c_l 15978->15982 15979 7ff6948694d6 15980->15979 15981 7ff69486dd40 4 API calls 15980->15981 15981->15982 15982->15979 15983 7ff6948c8fd0 _swprintf_c_l 3 API calls 15982->15983 15983->15982 15985 7ff69486acda RaiseFailFastException 15984->15985 15986 7ff69486ace8 FlsSetValue 15984->15986 15985->15986 15988 7ff69486632c 15987->15988 15988->15971 15988->15972 15990 7ff69486dcd2 15989->15990 15991 7ff69486dcda 15989->15991 15990->15974 15992 7ff69486dd40 4 API calls 15991->15992 15993 7ff69486dd25 15991->15993 15992->15993 15993->15974 15994 7ff69486a7a1 15995 7ff69486a774 15994->15995 15996 7ff69486a7b3 15994->15996 16001 7ff69487744e 15996->16001 16009 7ff6948775d1 15996->16009 16013 7ff694877420 15996->16013 15997 7ff69486a7d4 16002 7ff69487748b 16001->16002 16003 7ff6948774b5 16001->16003 16005 7ff694877499 16002->16005 16006 7ff694877494 DebugBreak 16002->16006 16017 7ff69487cf30 16003->16017 16005->15997 16006->16005 16007 7ff6948774d8 16007->16005 16030 7ff694879e40 16007->16030 16011 7ff6948775b0 16009->16011 16010 7ff694877499 16010->15997 16011->16009 16011->16010 16012 7ff694879e40 3 API calls 16011->16012 16012->16010 16014 7ff694877592 16013->16014 16016 7ff694877499 16013->16016 16015 7ff694879e40 3 API calls 16014->16015 16014->16016 16015->16016 16016->15997 16019 7ff69487cf5f 16017->16019 16018 7ff6948a0880 WaitForSingleObject 16018->16019 16019->16018 16020 7ff694894b90 GetTickCount64 16019->16020 16021 7ff69487d019 SwitchToThread 16019->16021 16023 7ff69487d13b 16019->16023 16026 7ff694883670 39 API calls 16019->16026 16027 7ff69487d045 SwitchToThread 16019->16027 16029 7ff69487d00d SwitchToThread 16019->16029 16037 7ff69487dbe0 16019->16037 16057 7ff6948a06c0 16019->16057 16071 7ff6948728e0 16019->16071 16074 7ff69487d660 16019->16074 16020->16019 16021->16019 16023->16007 16026->16019 16027->16019 16029->16019 16031 7ff694879e76 16030->16031 16035 7ff694879eaf 16030->16035 16032 7ff694879e89 SwitchToThread 16031->16032 16033 7ff6948728e0 SleepEx 16031->16033 16031->16035 16032->16031 16033->16031 16034 7ff694879f85 ISource 16034->16005 16035->16034 16036 7ff694879f80 DebugBreak 16035->16036 16036->16034 16038 7ff69487dc1c 16037->16038 16041 7ff69487ddd2 16037->16041 16039 7ff69487dc8d 16038->16039 16040 7ff69487ddd7 16038->16040 16044 7ff69487dc9c SwitchToThread 16039->16044 16040->16041 16089 7ff694877080 16040->16089 16042 7ff69489ea80 6 API calls 16041->16042 16042->16041 16052 7ff69487dcaa 16044->16052 16045 7ff69487dd51 SwitchToThread 16045->16052 16048 7ff69487dd7d SwitchToThread 16048->16052 16049 7ff6948728e0 SleepEx 16049->16052 16052->16041 16052->16045 16052->16048 16052->16049 16055 7ff69487dd45 SwitchToThread 16052->16055 16085 7ff6948a0880 16052->16085 16055->16052 16058 7ff6948a0869 16057->16058 16059 7ff6948a06dd 16057->16059 16058->16019 16060 7ff694872080 10 API calls 16059->16060 16061 7ff6948a0704 16060->16061 16062 7ff6948a0857 16061->16062 16063 7ff694877080 WaitForSingleObject 16061->16063 16062->16019 16065 7ff6948a073d 16063->16065 16064 7ff6948a0840 16064->16019 16065->16064 16066 7ff6948a07c9 SwitchToThread 16065->16066 16067 7ff6948a07f5 SwitchToThread 16065->16067 16068 7ff6948728e0 SleepEx 16065->16068 16069 7ff6948a0880 WaitForSingleObject 16065->16069 16070 7ff6948a07bd SwitchToThread 16065->16070 16066->16065 16067->16065 16068->16065 16069->16065 16070->16065 16072 7ff6948728ed 16071->16072 16073 7ff6948728e4 SleepEx 16071->16073 16072->16019 16073->16072 16075 7ff69487d69c 16074->16075 16077 7ff69487d80b 16074->16077 16076 7ff6948728e0 SleepEx 16075->16076 16075->16077 16080 7ff69487d6df 16076->16080 16095 7ff69489cbb0 16077->16095 16079 7ff69487d78a SwitchToThread 16079->16080 16080->16077 16080->16079 16081 7ff6948a0880 WaitForSingleObject 16080->16081 16082 7ff69487d7b6 SwitchToThread 16080->16082 16083 7ff6948728e0 SleepEx 16080->16083 16084 7ff69487d77e SwitchToThread 16080->16084 16081->16080 16082->16080 16083->16080 16084->16080 16086 7ff6948a0896 16085->16086 16087 7ff6948a08cd 16086->16087 16093 7ff694872c40 WaitForSingleObject 16086->16093 16087->16052 16090 7ff694877098 16089->16090 16094 7ff694872c40 WaitForSingleObject 16090->16094 16097 7ff69489cbee 16095->16097 16096 7ff69488d200 38 API calls 16096->16097 16097->16096 16098 7ff69489ce87 _swprintf_c_l 16097->16098 16098->16077 16099 7ff694866620 16105 7ff694866645 16099->16105 16100 7ff694866659 16101 7ff69486671f 16102 7ff694866726 16101->16102 16103 7ff69486673f 16101->16103 16121 7ff69486b220 16102->16121 16108 7ff69486676f 16103->16108 16124 7ff6948663b0 GetLastError 16103->16124 16104 7ff694866706 16115 7ff694864c30 16104->16115 16105->16100 16105->16101 16105->16104 16110 7ff6948666e7 16105->16110 16111 7ff6948666c8 16105->16111 16109 7ff694866732 RaiseFailFastException 16109->16103 16110->16104 16114 7ff6948666f9 RaiseFailFastException 16110->16114 16113 7ff6948666d0 Sleep 16111->16113 16113->16110 16113->16113 16114->16104 16116 7ff694864c56 16115->16116 16117 7ff69486acc0 3 API calls 16116->16117 16120 7ff694864c74 16116->16120 16118 7ff694864c6c 16117->16118 16127 7ff694865920 16118->16127 16120->16101 16122 7ff69486b234 16121->16122 16122->16122 16123 7ff69486b23d GetStdHandle WriteFile 16122->16123 16123->16109 16125 7ff6948663e0 16124->16125 16126 7ff694866406 SetLastError 16125->16126 16128 7ff69486594f 16127->16128 16129 7ff69486aa30 VirtualQuery 16128->16129 16130 7ff69486599c 16129->16130 16131 7ff6948659ad 16130->16131 16132 7ff6948659a0 RaiseFailFastException 16130->16132 16133 7ff69486dcc0 4 API calls 16131->16133 16132->16131 16134 7ff6948659b5 16133->16134 16134->16120 16135 7ff694865760 16165 7ff69486b020 FlsAlloc 16135->16165 16137 7ff6948658ce 16138 7ff69486576b 16138->16137 16178 7ff69486aec0 GetModuleHandleExW 16138->16178 16140 7ff69486578b 16179 7ff694867110 16140->16179 16142 7ff694865793 16142->16137 16187 7ff69486b750 16142->16187 16146 7ff6948657b0 16146->16137 16147 7ff6948657d8 RtlAddVectoredExceptionHandler 16146->16147 16148 7ff6948657ec 16147->16148 16149 7ff6948657f1 16147->16149 16151 7ff694865825 16148->16151 16152 7ff69486d7b0 9 API calls 16148->16152 16224 7ff69486d7b0 16149->16224 16153 7ff69486587f 16151->16153 16201 7ff69486df20 16151->16201 16152->16151 16209 7ff694869f40 16153->16209 16156 7ff694865884 16156->16137 16230 7ff694865410 16156->16230 16166 7ff69486b040 16165->16166 16167 7ff69486b16e 16165->16167 16241 7ff694873910 16166->16241 16167->16138 16169 7ff69486b045 16170 7ff6948726b0 10 API calls 16169->16170 16171 7ff69486b04a 16170->16171 16171->16167 16172 7ff69486d7b0 9 API calls 16171->16172 16173 7ff69486b072 16172->16173 16174 7ff69486b09a GetCurrentProcess GetProcessAffinityMask 16173->16174 16175 7ff69486b091 16173->16175 16177 7ff69486b108 16173->16177 16174->16175 16176 7ff69486b0e4 QueryInformationJobObject 16175->16176 16176->16177 16177->16138 16178->16140 16180 7ff6948c8fd0 _swprintf_c_l 3 API calls 16179->16180 16181 7ff694867125 16180->16181 16182 7ff694867164 16181->16182 16380 7ff69486fdc0 16181->16380 16182->16142 16184 7ff694867132 16184->16182 16185 7ff69486b410 InitializeCriticalSectionEx 16184->16185 16186 7ff69486715d 16185->16186 16186->16142 16188 7ff69486b410 InitializeCriticalSectionEx 16187->16188 16189 7ff6948657a0 16188->16189 16189->16137 16190 7ff694866b50 16189->16190 16191 7ff6948c8fd0 _swprintf_c_l 3 API calls 16190->16191 16192 7ff694866b6e 16191->16192 16193 7ff694866c0a 16192->16193 16383 7ff694864d60 16192->16383 16193->16146 16195 7ff694866ba0 16196 7ff694866bea 16195->16196 16390 7ff694864e50 16195->16390 16196->16146 16198 7ff694866bad 16200 7ff694866bbd ISource 16198->16200 16394 7ff694864be0 16198->16394 16200->16146 16202 7ff69486df4b 16201->16202 16203 7ff69486dff6 16201->16203 16204 7ff6948c8fd0 _swprintf_c_l 3 API calls 16202->16204 16203->16153 16205 7ff69486df6a 16204->16205 16206 7ff69486b410 InitializeCriticalSectionEx 16205->16206 16207 7ff69486df95 16206->16207 16208 7ff69486dfde GetSystemTimeAsFileTime 16207->16208 16208->16203 16210 7ff6948c89ab 16209->16210 16211 7ff694869f79 EventRegister 16210->16211 16212 7ff694869ffc 16211->16212 16214 7ff694869ff7 16211->16214 16213 7ff69486d7b0 9 API calls 16212->16213 16213->16214 16399 7ff69486a820 16214->16399 16217 7ff69486a074 16217->16156 16218 7ff69486a04b 16218->16217 16417 7ff694866960 16218->16417 16220 7ff69486a054 16220->16217 16424 7ff69486e9d0 16220->16424 16221 7ff69486a064 16221->16156 16227 7ff69486d820 16224->16227 16225 7ff69486d8a0 _wcsicmp 16225->16227 16229 7ff69486d8bd 16225->16229 16226 7ff6948c8fb0 8 API calls 16228 7ff69486d99d 16226->16228 16227->16225 16227->16229 16228->16148 16229->16226 16232 7ff69486559b 16230->16232 16233 7ff69486543a 16230->16233 16231 7ff694865726 16231->16137 16239 7ff69486b410 16231->16239 16232->16231 16234 7ff69486b220 2 API calls 16232->16234 16233->16232 16636 7ff69486b1d0 LoadLibraryExW 16233->16636 16235 7ff69486571a RaiseFailFastException 16234->16235 16235->16231 16237 7ff694865516 16237->16232 16639 7ff69486b180 LoadLibraryExW 16237->16639 16240 7ff6948c8bd9 InitializeCriticalSectionEx 16239->16240 16368 7ff694869b90 16241->16368 16244 7ff694869b90 9 API calls 16245 7ff69487394e 16244->16245 16246 7ff694869b90 9 API calls 16245->16246 16247 7ff694873969 16246->16247 16248 7ff694869b90 9 API calls 16247->16248 16249 7ff694873984 16248->16249 16250 7ff694869b90 9 API calls 16249->16250 16251 7ff6948739a4 16250->16251 16252 7ff694869b90 9 API calls 16251->16252 16253 7ff6948739bf 16252->16253 16254 7ff694869b90 9 API calls 16253->16254 16255 7ff6948739df 16254->16255 16256 7ff694869b90 9 API calls 16255->16256 16257 7ff6948739fa 16256->16257 16258 7ff694869b90 9 API calls 16257->16258 16259 7ff694873a15 16258->16259 16260 7ff694869b90 9 API calls 16259->16260 16261 7ff694873a30 16260->16261 16262 7ff694869b90 9 API calls 16261->16262 16263 7ff694873a50 16262->16263 16264 7ff694869b90 9 API calls 16263->16264 16265 7ff694873a70 16264->16265 16374 7ff694869d50 16265->16374 16268 7ff694869d50 9 API calls 16269 7ff694873aa0 16268->16269 16270 7ff694869d50 9 API calls 16269->16270 16271 7ff694873ab5 16270->16271 16272 7ff694869d50 9 API calls 16271->16272 16273 7ff694873aca 16272->16273 16274 7ff694869d50 9 API calls 16273->16274 16275 7ff694873adf 16274->16275 16276 7ff694869d50 9 API calls 16275->16276 16277 7ff694873af9 16276->16277 16278 7ff694869d50 9 API calls 16277->16278 16279 7ff694873b0e 16278->16279 16280 7ff694869d50 9 API calls 16279->16280 16281 7ff694873b23 16280->16281 16282 7ff694869d50 9 API calls 16281->16282 16283 7ff694873b38 16282->16283 16284 7ff694869d50 9 API calls 16283->16284 16285 7ff694873b4d 16284->16285 16286 7ff694869d50 9 API calls 16285->16286 16287 7ff694873b62 16286->16287 16288 7ff694869d50 9 API calls 16287->16288 16289 7ff694873b77 16288->16289 16290 7ff694869d50 9 API calls 16289->16290 16291 7ff694873b91 16290->16291 16292 7ff694869d50 9 API calls 16291->16292 16293 7ff694873bab 16292->16293 16294 7ff694869d50 9 API calls 16293->16294 16295 7ff694873bc0 16294->16295 16296 7ff694869d50 9 API calls 16295->16296 16297 7ff694873bd5 16296->16297 16298 7ff694869d50 9 API calls 16297->16298 16299 7ff694873bea 16298->16299 16300 7ff694869d50 9 API calls 16299->16300 16301 7ff694873bff 16300->16301 16302 7ff694869d50 9 API calls 16301->16302 16303 7ff694873c19 16302->16303 16304 7ff694869d50 9 API calls 16303->16304 16305 7ff694873c33 16304->16305 16306 7ff694869d50 9 API calls 16305->16306 16307 7ff694873c48 16306->16307 16308 7ff694869d50 9 API calls 16307->16308 16309 7ff694873c5d 16308->16309 16310 7ff694869d50 9 API calls 16309->16310 16311 7ff694873c72 16310->16311 16312 7ff694869d50 9 API calls 16311->16312 16313 7ff694873c87 16312->16313 16314 7ff694869d50 9 API calls 16313->16314 16315 7ff694873c9c 16314->16315 16316 7ff694869d50 9 API calls 16315->16316 16317 7ff694873cb1 16316->16317 16318 7ff694869d50 9 API calls 16317->16318 16319 7ff694873cc6 16318->16319 16320 7ff694869d50 9 API calls 16319->16320 16321 7ff694873cdb 16320->16321 16322 7ff694869d50 9 API calls 16321->16322 16323 7ff694873cf0 16322->16323 16324 7ff694869d50 9 API calls 16323->16324 16325 7ff694873d05 16324->16325 16326 7ff694869d50 9 API calls 16325->16326 16327 7ff694873d1a 16326->16327 16328 7ff694869d50 9 API calls 16327->16328 16329 7ff694873d2f 16328->16329 16330 7ff694869d50 9 API calls 16329->16330 16331 7ff694873d44 16330->16331 16332 7ff694869d50 9 API calls 16331->16332 16333 7ff694873d59 16332->16333 16334 7ff694869d50 9 API calls 16333->16334 16335 7ff694873d6e 16334->16335 16336 7ff694869d50 9 API calls 16335->16336 16337 7ff694873d83 16336->16337 16338 7ff694869d50 9 API calls 16337->16338 16339 7ff694873d98 16338->16339 16340 7ff694869d50 9 API calls 16339->16340 16341 7ff694873dad 16340->16341 16342 7ff694869d50 9 API calls 16341->16342 16343 7ff694873dc2 16342->16343 16344 7ff694869d50 9 API calls 16343->16344 16345 7ff694873dd7 16344->16345 16346 7ff694869d50 9 API calls 16345->16346 16347 7ff694873dec 16346->16347 16348 7ff694869d50 9 API calls 16347->16348 16349 7ff694873e01 16348->16349 16350 7ff694869d50 9 API calls 16349->16350 16351 7ff694873e16 16350->16351 16352 7ff694869d50 9 API calls 16351->16352 16353 7ff694873e30 16352->16353 16354 7ff694869d50 9 API calls 16353->16354 16355 7ff694873e4a 16354->16355 16356 7ff694869d50 9 API calls 16355->16356 16357 7ff694873e64 16356->16357 16358 7ff694869d50 9 API calls 16357->16358 16359 7ff694873e7e 16358->16359 16360 7ff694869d50 9 API calls 16359->16360 16361 7ff694873e98 16360->16361 16362 7ff694869d50 9 API calls 16361->16362 16363 7ff694873eb2 16362->16363 16364 7ff694869d50 9 API calls 16363->16364 16365 7ff694873ec7 16364->16365 16366 7ff694869d50 9 API calls 16365->16366 16367 7ff694873ee1 16366->16367 16373 7ff694869bc3 16368->16373 16369 7ff6948c8fb0 8 API calls 16370 7ff694869cfe 16369->16370 16370->16244 16371 7ff69486d7b0 9 API calls 16372 7ff694869bc7 16371->16372 16372->16369 16373->16371 16373->16372 16375 7ff694869d80 16374->16375 16376 7ff69486d7b0 9 API calls 16375->16376 16377 7ff694869e98 16376->16377 16378 7ff6948c8fb0 8 API calls 16377->16378 16379 7ff694869eb0 16378->16379 16379->16268 16381 7ff69486b410 InitializeCriticalSectionEx 16380->16381 16382 7ff69486fe0c 16381->16382 16382->16184 16384 7ff6948c8fd0 _swprintf_c_l 3 API calls 16383->16384 16385 7ff694864d7e 16384->16385 16386 7ff69486b410 InitializeCriticalSectionEx 16385->16386 16387 7ff694864db0 16385->16387 16386->16387 16388 7ff694864e08 ISource 16387->16388 16397 7ff69486b3f0 16387->16397 16388->16195 16391 7ff694864e55 16390->16391 16393 7ff694864e66 ISource 16390->16393 16392 7ff69486b3f0 DeleteCriticalSection 16391->16392 16392->16393 16393->16198 16395 7ff69486b3f0 16394->16395 16395->16200 16396 7ff6948c8a4d DeleteCriticalSection 16395->16396 16397->16388 16398 7ff6948c8a4d DeleteCriticalSection 16397->16398 16434 7ff694871d60 16399->16434 16401 7ff69486a037 16401->16217 16402 7ff694879140 16401->16402 16403 7ff69486e020 4 API calls 16402->16403 16404 7ff694879159 16403->16404 16445 7ff6948728a0 QueryPerformanceFrequency 16404->16445 16406 7ff69487915e 16409 7ff6948791d9 16406->16409 16446 7ff694872260 16406->16446 16408 7ff69487944b ISource 16408->16218 16409->16408 16460 7ff69488f640 16409->16460 16411 7ff69487964c 16411->16408 16412 7ff6948c8fd0 _swprintf_c_l 3 API calls 16411->16412 16413 7ff694879782 16412->16413 16413->16408 16483 7ff694871eb0 16413->16483 16415 7ff6948797ad 16488 7ff69488de20 16415->16488 16418 7ff694866972 16417->16418 16419 7ff6948669ad 16418->16419 16613 7ff69486fc70 CreateEventW 16418->16613 16419->16220 16421 7ff694866984 16421->16419 16614 7ff69486b320 CreateThread 16421->16614 16423 7ff6948669a3 16423->16220 16425 7ff69486e9e7 16424->16425 16426 7ff69486e9ef 16425->16426 16427 7ff6948c8fd0 _swprintf_c_l 3 API calls 16425->16427 16426->16221 16431 7ff69486ea21 16427->16431 16428 7ff69486eb58 ISource 16428->16221 16430 7ff69486eaf2 ISource 16430->16221 16431->16428 16432 7ff69486eab5 ISource 16431->16432 16617 7ff694874350 16431->16617 16432->16430 16623 7ff6948745e0 16432->16623 16439 7ff694874c20 16434->16439 16436 7ff694871d9f 16436->16401 16440 7ff6948c8fd0 _swprintf_c_l 3 API calls 16439->16440 16441 7ff694871d88 16440->16441 16441->16436 16442 7ff694876770 16441->16442 16443 7ff6948c8fd0 _swprintf_c_l 3 API calls 16442->16443 16444 7ff694876785 16443->16444 16444->16436 16445->16406 16447 7ff694872283 16446->16447 16448 7ff694872297 GetCurrentProcess IsProcessInJob 16447->16448 16454 7ff6948723d4 16447->16454 16449 7ff6948722ec 16448->16449 16450 7ff694872393 16448->16450 16449->16450 16452 7ff6948722f6 QueryInformationJobObject 16449->16452 16453 7ff6948723ab GlobalMemoryStatusEx 16450->16453 16450->16454 16451 7ff694872422 GlobalMemoryStatusEx 16455 7ff694872418 16451->16455 16452->16450 16457 7ff694872318 16452->16457 16453->16454 16454->16451 16454->16455 16456 7ff6948c8fb0 8 API calls 16455->16456 16458 7ff694872464 16456->16458 16457->16450 16459 7ff69487235c GlobalMemoryStatusEx 16457->16459 16458->16409 16459->16450 16511 7ff6948728f0 VirtualAlloc 16460->16511 16462 7ff69488f662 16463 7ff69488f6c7 16462->16463 16573 7ff694872690 InitializeCriticalSection 16462->16573 16465 7ff69488fabd 16463->16465 16514 7ff6948a0410 16463->16514 16467 7ff69488f6f1 _swprintf_c_l 16482 7ff69488f933 16467->16482 16524 7ff69488f340 16467->16524 16469 7ff69488f8c8 16528 7ff69488ce10 16469->16528 16473 7ff69488f902 16474 7ff69488fae0 18 API calls 16473->16474 16473->16482 16475 7ff69488f924 16474->16475 16476 7ff69488f928 16475->16476 16478 7ff69488f957 16475->16478 16574 7ff6948729e0 VirtualFree 16476->16574 16478->16482 16535 7ff6948a30a0 16478->16535 16482->16411 16484 7ff6948c8fd0 _swprintf_c_l 3 API calls 16483->16484 16485 7ff694871ed6 16484->16485 16486 7ff694871ede CreateEventW 16485->16486 16487 7ff694871f00 ISource 16485->16487 16486->16487 16487->16415 16489 7ff69488deaa _swprintf_c_l 16488->16489 16490 7ff694871eb0 4 API calls 16489->16490 16491 7ff69488deb8 16490->16491 16510 7ff69488e717 16491->16510 16611 7ff694872880 QueryPerformanceCounter 16491->16611 16493 7ff694891660 9 API calls 16494 7ff69488ded6 16493->16494 16494->16493 16495 7ff69488e246 16494->16495 16494->16510 16496 7ff694891660 9 API calls 16495->16496 16497 7ff69488e279 16496->16497 16498 7ff694891660 9 API calls 16497->16498 16497->16510 16499 7ff69488e2b8 16498->16499 16500 7ff6948c8fd0 _swprintf_c_l 3 API calls 16499->16500 16499->16510 16501 7ff69488e581 16500->16501 16502 7ff69488e5e4 16501->16502 16503 7ff69488e5cd 16501->16503 16501->16510 16504 7ff6948c8fd0 _swprintf_c_l 3 API calls 16502->16504 16505 7ff69488e5da DebugBreak 16503->16505 16503->16510 16506 7ff69488e630 16504->16506 16505->16510 16507 7ff6948c8fd0 _swprintf_c_l 3 API calls 16506->16507 16506->16510 16508 7ff69488e6bd 16507->16508 16508->16510 16612 7ff694872690 InitializeCriticalSection 16508->16612 16510->16408 16512 7ff694872929 16511->16512 16513 7ff694872911 VirtualFree 16511->16513 16512->16462 16513->16462 16515 7ff6948a043f 16514->16515 16516 7ff6948a0462 16515->16516 16517 7ff6948a046c 16515->16517 16522 7ff6948a0497 16515->16522 16575 7ff694872a80 16516->16575 16519 7ff694872a00 3 API calls 16517->16519 16521 7ff6948a047d 16519->16521 16521->16522 16586 7ff6948729e0 VirtualFree 16521->16586 16522->16467 16526 7ff69488f35f 16524->16526 16527 7ff69488f37c 16526->16527 16587 7ff694871f70 16526->16587 16527->16469 16529 7ff69488ce32 16528->16529 16530 7ff6948c8fb0 8 API calls 16529->16530 16531 7ff69488cf53 16530->16531 16532 7ff694872a00 16531->16532 16533 7ff694872a44 GetCurrentProcess VirtualAllocExNuma 16532->16533 16534 7ff694872a25 VirtualAlloc 16532->16534 16533->16473 16534->16533 16594 7ff6948a2fb0 16535->16594 16538 7ff69488ed00 16544 7ff69488ed30 16538->16544 16539 7ff69488f311 16609 7ff694871e10 CloseHandle 16539->16609 16540 7ff69488f31d 16542 7ff69488f332 16540->16542 16543 7ff69488f326 16540->16543 16542->16482 16610 7ff694871e10 CloseHandle 16543->16610 16546 7ff694871eb0 4 API calls 16544->16546 16571 7ff69488ed8f 16544->16571 16547 7ff69488edcf 16546->16547 16548 7ff694871eb0 4 API calls 16547->16548 16547->16571 16549 7ff69488ede5 _swprintf_c_l 16548->16549 16550 7ff694872080 10 API calls 16549->16550 16549->16571 16551 7ff69488f10a 16550->16551 16552 7ff694871eb0 4 API calls 16551->16552 16553 7ff69488f187 16552->16553 16554 7ff694871eb0 4 API calls 16553->16554 16570 7ff69488f1c9 16553->16570 16560 7ff69488f19d 16554->16560 16555 7ff69488f2c9 16558 7ff69488f2de 16555->16558 16559 7ff69488f2d2 16555->16559 16556 7ff69488f2bd 16605 7ff694871e10 CloseHandle 16556->16605 16562 7ff69488f2f3 16558->16562 16563 7ff69488f2e7 16558->16563 16606 7ff694871e10 CloseHandle 16559->16606 16560->16570 16600 7ff694871e30 16560->16600 16565 7ff69488f2fc 16562->16565 16562->16571 16607 7ff694871e10 CloseHandle 16563->16607 16608 7ff694871e10 CloseHandle 16565->16608 16568 7ff69488f1b3 16569 7ff694871eb0 4 API calls 16568->16569 16568->16570 16569->16570 16570->16555 16570->16556 16570->16571 16571->16539 16571->16540 16572 7ff69488f277 16571->16572 16572->16482 16573->16463 16574->16482 16576 7ff694872b46 GetLargePageMinimum 16575->16576 16577 7ff694872aae LookupPrivilegeValueW 16575->16577 16580 7ff694872b66 VirtualAlloc 16576->16580 16581 7ff694872b83 GetCurrentProcess VirtualAllocExNuma 16576->16581 16578 7ff694872aca GetCurrentProcess OpenProcessToken 16577->16578 16579 7ff694872b7f 16577->16579 16578->16579 16582 7ff694872b01 AdjustTokenPrivileges GetLastError CloseHandle 16578->16582 16584 7ff6948c8fb0 8 API calls 16579->16584 16580->16579 16581->16579 16582->16579 16583 7ff694872b3b 16582->16583 16583->16576 16583->16579 16585 7ff694872bb6 16584->16585 16585->16521 16586->16522 16588 7ff694871f78 16587->16588 16589 7ff694871f91 GetLogicalProcessorInformation 16588->16589 16593 7ff694871fbd ISource 16588->16593 16590 7ff694871fb2 GetLastError 16589->16590 16591 7ff694871fc4 16589->16591 16590->16591 16590->16593 16592 7ff694872001 GetLogicalProcessorInformation 16591->16592 16591->16593 16592->16593 16593->16527 16595 7ff6948a2fc9 16594->16595 16598 7ff69488fa9c 16594->16598 16596 7ff6948a2fe4 LoadLibraryExW 16595->16596 16595->16598 16597 7ff6948a3012 GetProcAddress 16596->16597 16596->16598 16599 7ff6948a3027 16597->16599 16598->16538 16599->16598 16601 7ff6948c8fd0 _swprintf_c_l 3 API calls 16600->16601 16602 7ff694871e56 16601->16602 16603 7ff694871e5e CreateEventW 16602->16603 16604 7ff694871e7e ISource 16602->16604 16603->16604 16604->16568 16605->16555 16606->16558 16607->16562 16608->16571 16609->16540 16610->16542 16611->16494 16612->16510 16613->16421 16615 7ff69486b355 SetThreadPriority ResumeThread FindCloseChangeNotification 16614->16615 16616 7ff69486b34f 16614->16616 16615->16423 16616->16423 16618 7ff694874383 _swprintf_c_l 16617->16618 16622 7ff6948743a9 ISource _swprintf_c_l 16618->16622 16626 7ff694875300 16618->16626 16620 7ff6948743a0 16621 7ff69486b410 InitializeCriticalSectionEx 16620->16621 16620->16622 16621->16622 16622->16431 16624 7ff69486b3f0 DeleteCriticalSection 16623->16624 16625 7ff6948745f2 16624->16625 16627 7ff694872a00 3 API calls 16626->16627 16628 7ff694875322 16627->16628 16629 7ff69487532a 16628->16629 16630 7ff694872930 3 API calls 16628->16630 16629->16620 16631 7ff694875348 16630->16631 16634 7ff694875353 _swprintf_c_l 16631->16634 16635 7ff6948729e0 VirtualFree 16631->16635 16633 7ff69487546e 16633->16620 16634->16620 16635->16633 16637 7ff69486b1ee GetProcAddress 16636->16637 16638 7ff69486b203 16636->16638 16637->16638 16638->16237 16640 7ff69486b19e GetProcAddress 16639->16640 16641 7ff69486b1b3 16639->16641 16640->16641 16641->16232

                                            Executed Functions

                                            Function 00007FF6948726B0 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF6948726BF
                                            • GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF6948726FD
                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF694872729
                                            • GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF69487273A
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF694872749
                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF6948727E0
                                            • GetProcessAffinityMask.KERNEL32 ref: 00007FF6948727F3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
                                            • String ID:
                                            • API String ID: 580471860-0
                                            • Opcode ID: 19b53f92ddd9a9a7ef10cbccfe69bfe921807fcdb46f8766bab15c0bbd7aa85f
                                            • Instruction ID: d127195dd8503b44a7055702793674d3fbbcbe9d8a0bffddf2c9a43ead60e3ea
                                            • Opcode Fuzzy Hash: 19b53f92ddd9a9a7ef10cbccfe69bfe921807fcdb46f8766bab15c0bbd7aa85f
                                            • Instruction Fuzzy Hash: 5F517932B1D74A86EBA08F19E69017967A1FF48B81F9480B5EA4DC7369EF7DE405C700
                                            Function 00007FF694865760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00007FF69486B020: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF69486576B), ref: 00007FF69486B02B
                                              • Part of subcall function 00007FF69486B020: QueryInformationJobObject.KERNEL32 ref: 00007FF69486B0FE
                                              • Part of subcall function 00007FF69486AEC0: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF694863819), ref: 00007FF69486AED1
                                            • RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF6948657D8
                                              • Part of subcall function 00007FF69486D7B0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF69486D8AD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: AllocExceptionHandleHandlerInformationModuleObjectQueryVectored_wcsicmp
                                            • String ID: StressLogLevel$TotalStressLogSize
                                            • API String ID: 2876344857-4058818204
                                            • Opcode ID: b8dcc97092589a3276693584986118e267024c8b20105f4c83ed43bccf9c10d3
                                            • Instruction ID: dd5fadfc188ef3570f9b9f32ef74dfb25ccf7d5a7d9891d306d49be3cf4509a6
                                            • Opcode Fuzzy Hash: b8dcc97092589a3276693584986118e267024c8b20105f4c83ed43bccf9c10d3
                                            • Instruction Fuzzy Hash: E141B632E2874282EAB4AF20E2922B97391EF41748F44C4B1EE4D9769ADF7CE505C740
                                            Function 00007FF694879140 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 349 7ff694879140-7ff69487916e call 7ff69486e020 call 7ff6948728a0 354 7ff694879177-7ff694879185 349->354 355 7ff694879170-7ff694879175 349->355 356 7ff694879189-7ff6948791d7 call 7ff694869d10 call 7ff694872470 call 7ff694873880 354->356 355->356 363 7ff6948791e9-7ff6948791f0 call 7ff694872260 356->363 364 7ff6948791d9-7ff6948791e7 356->364 367 7ff6948791f5 363->367 365 7ff6948791fc-7ff694879278 call 7ff694873790 call 7ff6948737f0 call 7ff6948737a0 call 7ff6948737c0 call 7ff694873820 364->365 378 7ff69487937e-7ff694879388 365->378 379 7ff69487927e-7ff694879285 365->379 367->365 380 7ff69487982d-7ff694879843 378->380 381 7ff69487938e-7ff694879395 378->381 379->380 382 7ff69487928b-7ff694879292 379->382 384 7ff694879399-7ff69487939c 381->384 382->380 383 7ff694879298-7ff6948792b2 call 7ff694873800 call 7ff6948737b0 call 7ff6948737d0 382->383 407 7ff6948792b4-7ff6948792b6 383->407 408 7ff6948792df-7ff6948792e5 383->408 386 7ff6948793a3-7ff6948793a6 384->386 388 7ff6948793ba-7ff6948793bd 386->388 389 7ff6948793a8-7ff6948793ab 386->389 392 7ff694879436 388->392 393 7ff6948793bf-7ff6948793d1 call 7ff6948737e0 388->393 389->388 391 7ff6948793ad-7ff6948793b4 389->391 391->380 391->388 396 7ff69487943d-7ff694879440 392->396 404 7ff6948793f5 393->404 405 7ff6948793d3-7ff6948793f3 393->405 397 7ff694879462-7ff69487947d call 7ff694873860 396->397 398 7ff694879442-7ff694879449 396->398 410 7ff6948794d1-7ff6948794e9 call 7ff694873f50 call 7ff694873f70 397->410 411 7ff69487947f-7ff694879489 397->411 398->397 401 7ff69487944b-7ff694879461 398->401 409 7ff6948793fc-7ff6948793ff 404->409 405->409 407->380 412 7ff6948792bc-7ff6948792bf 407->412 408->380 413 7ff6948792eb-7ff6948792f1 408->413 409->392 414 7ff694879401-7ff694879408 409->414 430 7ff69487953c-7ff694879556 call 7ff694873900 410->430 431 7ff6948794eb-7ff6948794f6 call 7ff694873900 410->431 415 7ff69487948b-7ff694879492 411->415 416 7ff6948794a3-7ff6948794ba 411->416 412->380 417 7ff6948792c5-7ff6948792da 412->417 413->380 418 7ff6948792f7-7ff6948792fb 413->418 414->398 420 7ff69487940a-7ff694879434 414->420 421 7ff694879494-7ff694879496 415->421 422 7ff6948794be-7ff6948794ca 415->422 416->422 417->386 418->380 423 7ff694879301-7ff69487930a 418->423 420->396 425 7ff69487949d-7ff6948794a1 421->425 426 7ff694879498-7ff69487949b 421->426 422->410 423->380 427 7ff694879310-7ff69487937c 423->427 425->422 426->422 427->384 441 7ff69487956c-7ff694879578 430->441 442 7ff694879558-7ff694879568 430->442 436 7ff6948794f8-7ff694879500 call 7ff69487b910 431->436 437 7ff694879503-7ff694879528 call 7ff69487b8c0 431->437 436->437 447 7ff69487952a-7ff69487953a call 7ff69487b8c0 437->447 448 7ff694879589-7ff6948795b9 call 7ff694873f60 call 7ff694873750 call 7ff694873870 437->448 445 7ff69487957a-7ff69487957f 441->445 446 7ff694879581-7ff694879586 441->446 442->441 445->448 446->448 447->448 457 7ff6948795bb-7ff6948795d6 448->457 458 7ff6948795d7-7ff6948795e1 448->458 459 7ff69487960d-7ff694879614 458->459 460 7ff6948795e3-7ff6948795ef 458->460 463 7ff69487961a-7ff694879621 459->463 464 7ff694879823 459->464 461 7ff6948795f6-7ff69487960b 460->461 462 7ff6948795f1-7ff6948795f4 460->462 461->463 462->463 463->464 465 7ff694879627-7ff694879647 call 7ff69488f640 463->465 464->380 467 7ff69487964c-7ff694879680 call 7ff694873f10 call 7ff694873f40 call 7ff694873f20 call 7ff694873f30 465->467 476 7ff694879686-7ff6948796bd call 7ff694873810 467->476 477 7ff694879815 467->477 481 7ff6948796bf-7ff6948796dc 476->481 482 7ff6948796de-7ff6948796f4 476->482 480 7ff69487981c 477->480 480->464 483 7ff69487972e-7ff694879741 481->483 484 7ff6948796f6-7ff694879720 482->484 485 7ff694879722-7ff69487972c 482->485 486 7ff694879743-7ff69487974c 483->486 487 7ff69487974e 483->487 484->485 485->483 488 7ff694879754-7ff694879785 call 7ff694873850 call 7ff6948c8fd0 486->488 487->488 488->480 493 7ff69487978b-7ff69487979d call 7ff694871df0 488->493 493->464 496 7ff6948797a3-7ff6948797af call 7ff694871eb0 493->496 499 7ff6948797c7-7ff6948797fa call 7ff69488de20 496->499 500 7ff6948797b1-7ff6948797bd call 7ff694864bd0 496->500 505 7ff6948797fc call 7ff6948c8f10 499->505 506 7ff694879801-7ff694879804 499->506 500->499 505->506 506->477 508 7ff694879806-7ff694879810 call 7ff6948a2aa0 call 7ff694864bd0 506->508 508->477
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
                                            • String ID: Creation of WaitForGCEvent failed$TraceGC is not turned on
                                            • API String ID: 133006248-518909315
                                            • Opcode ID: a883baec98bf013cbae05903c849c0ebf41d363100fd1e29f5bb9a2db04b5c56
                                            • Instruction ID: c2ec117ad092ab8e0fbe1a75e909c366df7c9eb7feacaf0d30ddc9a59c968e29
                                            • Opcode Fuzzy Hash: a883baec98bf013cbae05903c849c0ebf41d363100fd1e29f5bb9a2db04b5c56
                                            • Instruction Fuzzy Hash: D5026970F1D60782FEB59B25AAE537422A0EF44781F24CAB9D90EC67A5EE3CE441C341
                                            Function 00007FF69488C350 Relevance: .7, Instructions: 694COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 241da7e2b747a005830d0915d3c17f1200466a050c4dac74bba9f43b15fdd976
                                            • Instruction ID: fbbed972383666a0a26cb7a661296561d69f983396ad6bfabe9c2d432e446c6a
                                            • Opcode Fuzzy Hash: 241da7e2b747a005830d0915d3c17f1200466a050c4dac74bba9f43b15fdd976
                                            • Instruction Fuzzy Hash: 8562C171A1874686EFB58B29A6E83357691FF55781F20C2B5D91EE3358EF3CE881C600
                                            Function 00007FF694890750 Relevance: .4, Instructions: 398COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID:
                                            • API String ID: 2050909247-0
                                            • Opcode ID: 4b9e56fa8bd82e0999566641afb8b49dffdbdbc37bb6260533037af069611866
                                            • Instruction ID: 10a979fb8d8408d119c11743ae50cece3fe8caf417d71d437e5caf83d081d93f
                                            • Opcode Fuzzy Hash: 4b9e56fa8bd82e0999566641afb8b49dffdbdbc37bb6260533037af069611866
                                            • Instruction Fuzzy Hash: 28029271F2DA0686FEB58B29A9C023866D1EF5634AF24C6B5C50DD6268DF3EF481C640
                                            Function 00007FF69488ED00 Relevance: .3, Instructions: 332COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63be20e83a5dc59e06a2b4a488b109fcff4d4b7f40a7f9cd1f9333ad3b6f2b2f
                                            • Instruction ID: ef98c97aa74fb7197c0e3b94437ad9a1108e04dc3c3d26308cd39f9a53339bc2
                                            • Opcode Fuzzy Hash: 63be20e83a5dc59e06a2b4a488b109fcff4d4b7f40a7f9cd1f9333ad3b6f2b2f
                                            • Instruction Fuzzy Hash: 8AF1A131E1CB4285FAB2DB25AAD12756295EF96381F24C3B6D50DD23A6FF2CB191C300
                                            Function 00007FF694872260 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
                                            • String ID: @$@$@
                                            • API String ID: 2645093340-1177533131
                                            • Opcode ID: ca88b2e47b65645c36c042b4dc4072e1c75f948b70b361a8b6e96ed663280510
                                            • Instruction ID: faf4e71018df7ef64d00b7ca9c4748276c08efcadb39961c3fdafa323f431a61
                                            • Opcode Fuzzy Hash: ca88b2e47b65645c36c042b4dc4072e1c75f948b70b361a8b6e96ed663280510
                                            • Instruction Fuzzy Hash: AA51303170DAC185EBB18F15E5903AAB3A0FB88B54F548275DA9D93B98CF3CD445CB01
                                            Function 00007FF69486B020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF69486576B), ref: 00007FF69486B02B
                                              • Part of subcall function 00007FF6948726B0: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF6948726BF
                                              • Part of subcall function 00007FF6948726B0: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF6948726FD
                                              • Part of subcall function 00007FF6948726B0: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF694872729
                                              • Part of subcall function 00007FF6948726B0: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF69487273A
                                              • Part of subcall function 00007FF6948726B0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69486B04A), ref: 00007FF694872749
                                              • Part of subcall function 00007FF69486D7B0: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF69486D8AD
                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF69486576B), ref: 00007FF69486B09A
                                            • GetProcessAffinityMask.KERNEL32 ref: 00007FF69486B0AD
                                            • QueryInformationJobObject.KERNEL32 ref: 00007FF69486B0FE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem_wcsicmp
                                            • String ID: PROCESSOR_COUNT
                                            • API String ID: 296690692-4048346908
                                            • Opcode ID: f854a702a83dc01c41646339c6b0099762c4a12ee8e6a0d15d954c5e394c61ba
                                            • Instruction ID: 36ba4200101b8ec31b4d9ff618b0fb9046d945c0558bd64cc70f4f6cf2dc83ce
                                            • Opcode Fuzzy Hash: f854a702a83dc01c41646339c6b0099762c4a12ee8e6a0d15d954c5e394c61ba
                                            • Instruction Fuzzy Hash: 6D31B371A2CA4286EBB4AF50DAD03BD77A5EF44348F5480B1D65DC3799DE2CE809CB41
                                            Function 00007FF694866620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            • Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF694866726
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ExceptionFailFastRaise$Sleep
                                            • String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
                                            • API String ID: 3706814929-926682358
                                            • Opcode ID: 748c09927475cf9e349a911d070e2e85ba1b369a78d20386409e9d4058d69fe5
                                            • Instruction ID: f2f0d48c6cbbfd72f6d33f48075f478793ecb17c26cd0de6784e8c6173ec0eb8
                                            • Opcode Fuzzy Hash: 748c09927475cf9e349a911d070e2e85ba1b369a78d20386409e9d4058d69fe5
                                            • Instruction Fuzzy Hash: 15415C76A29A8686EBE18F19F69037933E0EB04B84F188179DA4DD7394DF3DE851C350
                                            Function 00007FF69486B320 Relevance: 6.0, APIs: 4, Instructions: 26threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
                                            • String ID:
                                            • API String ID: 2150560229-0
                                            • Opcode ID: 43130a00a2952a497caba751cbab80e0c5945ae47426b9584871a3a1cc0fd745
                                            • Instruction ID: 061114f95c24e176437ed1235e104a42f51b5394462858155cbb7ebc58b6e33b
                                            • Opcode Fuzzy Hash: 43130a00a2952a497caba751cbab80e0c5945ae47426b9584871a3a1cc0fd745
                                            • Instruction Fuzzy Hash: E1E092A5E5670282FB299F22B8583396750FF98B89F0884B4EE4F46361EF7CD585D600
                                            Function 00007FF694872080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 119 7ff694872080-7ff6948720b1 120 7ff6948720b7-7ff6948720d2 GetCurrentProcess call 7ff6948c8be5 119->120 121 7ff69487216f-7ff69487218c GlobalMemoryStatusEx 119->121 120->121 134 7ff6948720d8-7ff6948720e0 120->134 123 7ff694872212-7ff694872215 121->123 124 7ff694872192-7ff694872195 121->124 125 7ff694872217-7ff69487221b 123->125 126 7ff69487221e-7ff694872221 123->126 128 7ff694872197-7ff6948721a2 124->128 129 7ff694872201-7ff694872204 124->129 125->126 132 7ff69487222b-7ff69487222e 126->132 133 7ff694872223-7ff694872228 126->133 135 7ff6948721ab-7ff6948721bc 128->135 136 7ff6948721a4-7ff6948721a9 128->136 130 7ff694872209-7ff69487220c 129->130 131 7ff694872206 129->131 137 7ff694872238-7ff69487225b call 7ff6948c8fb0 130->137 138 7ff69487220e-7ff694872210 130->138 131->130 132->137 139 7ff694872230 132->139 133->132 140 7ff69487214a-7ff69487214f 134->140 141 7ff6948720e2-7ff6948720e8 134->141 142 7ff6948721c0-7ff6948721d1 135->142 136->142 145 7ff694872235 138->145 139->145 143 7ff694872161-7ff694872164 140->143 144 7ff694872151-7ff694872154 140->144 146 7ff6948720ea-7ff6948720ef 141->146 147 7ff6948720f1-7ff694872105 141->147 149 7ff6948721da-7ff6948721ee 142->149 150 7ff6948721d3-7ff6948721d8 142->150 143->137 153 7ff69487216a 143->153 151 7ff69487215b-7ff69487215e 144->151 152 7ff694872156-7ff694872159 144->152 145->137 154 7ff694872109-7ff69487211a 146->154 147->154 156 7ff6948721f2-7ff6948721fe 149->156 150->156 151->143 152->143 153->145 157 7ff69487211c-7ff694872121 154->157 158 7ff694872123-7ff694872137 154->158 156->129 159 7ff69487213b-7ff694872147 157->159 158->159 159->140
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CurrentGlobalMemoryProcessStatus
                                            • String ID: @
                                            • API String ID: 3261791682-2766056989
                                            • Opcode ID: 9126c160c7f3f8a979c28d89de266492a2cb26c761d1c6b8a32731156d037bec
                                            • Instruction ID: 39f929b5258040bcf6f9a0b0f6bf969b5b0679a34b45d8f0cc3a25cc93730e22
                                            • Opcode Fuzzy Hash: 9126c160c7f3f8a979c28d89de266492a2cb26c761d1c6b8a32731156d037bec
                                            • Instruction Fuzzy Hash: BD41A271B1EB4641E976CA7692A03399652FF59BC0F18C771EA0EA6744FF3CE491C600
                                            Function 00007FF6948A04D0 Relevance: 5.1, APIs: 4, Instructions: 84COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF69488DA29), ref: 00007FF6948A0510
                                            • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF69488DA29), ref: 00007FF6948A0586
                                            • EnterCriticalSection.KERNEL32(?,00000000,00000001,00007FF69488DA29), ref: 00007FF6948A05DE
                                            • LeaveCriticalSection.KERNEL32(?,00000000,00000001,00007FF69488DA29), ref: 00007FF6948A0604
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: 8596cd8b17cfc4c9012a95026411ea1fb58e51e4c51ec36a2e9fd3798af9f9b3
                                            • Instruction ID: e0b567da3a7eabb57452133bca82e61560c69fb4e2083f2b84d092c92bbaf6e8
                                            • Opcode Fuzzy Hash: 8596cd8b17cfc4c9012a95026411ea1fb58e51e4c51ec36a2e9fd3798af9f9b3
                                            • Instruction Fuzzy Hash: 32415BA1E5CA0681EA719F10E9C437923A0FF563A8F6882B5D94DD66A6DFBCE441C310
                                            Function 00007FF69487CF30 Relevance: 4.7, APIs: 3, Instructions: 195threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 229 7ff69487cf30-7ff69487cf5d 230 7ff69487cf5f 229->230 231 7ff69487cf66-7ff69487cf6e 230->231 232 7ff69487cf7c-7ff69487cf9c 231->232 233 7ff69487cf70-7ff69487cf7a call 7ff6948a0880 231->233 235 7ff69487d093-7ff69487d099 232->235 236 7ff69487cfa2-7ff69487cfa8 232->236 233->230 240 7ff69487d09b-7ff69487d0a1 call 7ff694883670 235->240 241 7ff69487d0a6-7ff69487d0a9 235->241 238 7ff69487d07d-7ff69487d088 236->238 239 7ff69487cfae 236->239 238->236 242 7ff69487d08e 238->242 243 7ff69487cfb0-7ff69487cfb6 239->243 240->241 245 7ff69487d16a-7ff69487d174 call 7ff694894b90 241->245 246 7ff69487d0af-7ff69487d0b6 241->246 242->235 248 7ff69487cfb8-7ff69487cfc0 243->248 249 7ff69487d022-7ff69487d032 call 7ff694869750 243->249 257 7ff69487d1dc-7ff69487d1df 245->257 258 7ff69487d176-7ff69487d17c 245->258 250 7ff69487d0bc-7ff69487d0c4 246->250 251 7ff69487d161-7ff69487d168 246->251 248->249 255 7ff69487cfc2-7ff69487cfc9 248->255 268 7ff69487d056-7ff69487d05e 249->268 269 7ff69487d034-7ff69487d03b 249->269 250->251 256 7ff69487d0ca-7ff69487d0f4 250->256 251->245 252 7ff69487d112-7ff69487d126 call 7ff69487dbe0 251->252 273 7ff69487d12b-7ff69487d135 252->273 260 7ff69487cfcb-7ff69487cfd8 255->260 261 7ff69487d019-7ff69487d020 SwitchToThread 255->261 256->251 262 7ff69487d0f6-7ff69487d10d call 7ff69489e2b0 256->262 257->252 265 7ff69487d1e5-7ff69487d1fd call 7ff69487d660 257->265 266 7ff69487d18d-7ff69487d19d call 7ff6948a06c0 258->266 267 7ff69487d17e-7ff69487d181 258->267 270 7ff69487cfda 260->270 271 7ff69487cff8-7ff69487cffc 260->271 264 7ff69487d073-7ff69487d077 261->264 262->252 264->238 264->243 265->273 295 7ff69487d1ab-7ff69487d1b1 266->295 296 7ff69487d19f-7ff69487d1a9 call 7ff694894b90 266->296 267->266 276 7ff69487d183-7ff69487d188 call 7ff694883670 267->276 281 7ff69487d06a-7ff69487d06c 268->281 282 7ff69487d060-7ff69487d065 call 7ff6948a0880 268->282 277 7ff69487d03d-7ff69487d043 269->277 278 7ff69487d04c-7ff69487d051 call 7ff6948728e0 269->278 280 7ff69487cfe0-7ff69487cfe4 270->280 271->264 283 7ff69487cffe-7ff69487d006 271->283 273->231 274 7ff69487d13b-7ff69487d160 273->274 276->266 277->278 286 7ff69487d045-7ff69487d04a SwitchToThread 277->286 278->268 280->271 289 7ff69487cfe6-7ff69487cfee 280->289 281->264 291 7ff69487d06e call 7ff6948696d0 281->291 282->281 283->264 292 7ff69487d008-7ff69487d017 call 7ff694869750 SwitchToThread 283->292 286->268 289->271 297 7ff69487cff0-7ff69487cff6 289->297 291->264 292->281 298 7ff69487d1bc-7ff69487d1d7 call 7ff69489e2b0 295->298 299 7ff69487d1b3-7ff69487d1b6 295->299 296->257 296->295 297->271 297->280 298->257 299->252 299->298
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: SwitchThread
                                            • String ID:
                                            • API String ID: 115865932-0
                                            • Opcode ID: b53c1b8baf3fa961f42f9a93c026e3a91cc4469665a52e1080013d420c1a925c
                                            • Instruction ID: 782a7305f9a32ce5e940d7bae34483eb26069ca827d5f10194b4b0da8076aaca
                                            • Opcode Fuzzy Hash: b53c1b8baf3fa961f42f9a93c026e3a91cc4469665a52e1080013d420c1a925c
                                            • Instruction Fuzzy Hash: 57717831F1C20386FBB4AB55AAE063A66D1EF41798F1481B8E91EDB2D9DF3DE441C600
                                            Function 00007FF694872930 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF694875348,?,?,0000000A,00007FF6948743A0,?,?,00000000,00007FF69486EA91), ref: 00007FF694872957
                                            • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF694875348,?,?,0000000A,00007FF6948743A0,?,?,00000000,00007FF69486EA91), ref: 00007FF694872977
                                            • VirtualAllocExNuma.KERNEL32 ref: 00007FF694872998
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: AllocVirtual$CurrentNumaProcess
                                            • String ID:
                                            • API String ID: 647533253-0
                                            • Opcode ID: 686b3994b09b840201f1684b8296069bddec3b68bb7cd25d79b3609eb5cb6e8f
                                            • Instruction ID: a526836d0c8ff74f367d2bd8a907a20c1723fd72970e807f98845641ac68ca4f
                                            • Opcode Fuzzy Hash: 686b3994b09b840201f1684b8296069bddec3b68bb7cd25d79b3609eb5cb6e8f
                                            • Instruction Fuzzy Hash: 67F0AF71B0869182EB208F16F540619AB60FB49FC4F588178EF8C57B59CF3DC982DB00
                                            Function 00007FF694869F40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: EventRegister
                                            • String ID: gcConservative
                                            • API String ID: 3840811365-1953527212
                                            • Opcode ID: 0bd704104a13a76449dc93aebda2a80e695e757360b9318b75be9f098cee9c4f
                                            • Instruction ID: bfde603923f019b556041c16448c432b696a40c386c73846d4458d43470c71ef
                                            • Opcode Fuzzy Hash: 0bd704104a13a76449dc93aebda2a80e695e757360b9318b75be9f098cee9c4f
                                            • Instruction Fuzzy Hash: 5D311739A18A4792EFA0AF56E9C01B433A0EF45385F60C1B6DA4D83269DF3CE995C740
                                            Function 00007FF6948C8ED4 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6948C8FD9,?,?,?,?,00007FF69486DBC1,?,?,?,00007FF69486E13C,00000000,00000020,?), ref: 00007FF6948C8EEE
                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6948C8F04
                                              • Part of subcall function 00007FF6948C9A2C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6948C9A35
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
                                            • String ID:
                                            • API String ID: 205171174-0
                                            • Opcode ID: b0e683634f6cf977cd568e859ab9fb6e1e75df7de34bcf169af656f9c50744c0
                                            • Instruction ID: 96b5ab8e12c44501107fc933893ca8b70b09624598b1cc3a3282a39d6d9bcd43
                                            • Opcode Fuzzy Hash: b0e683634f6cf977cd568e859ab9fb6e1e75df7de34bcf169af656f9c50744c0
                                            • Instruction Fuzzy Hash: B1E0EC00E9A10B82FF78657656D51B500408F49777E1C9BF1DD3DC82C2AD1CE496C110
                                            Function 00007FF69486B2E0 Relevance: 3.0, APIs: 2, Instructions: 18threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ChangeCloseCreateFindNotificationThread
                                            • String ID:
                                            • API String ID: 4060959955-0
                                            • Opcode ID: 10e2c95deb48a9fa91c132fa6e8d2868e379d5a6b0bea3614ebc36bd565de11c
                                            • Instruction ID: d39c428cf31ac10fd1260cd53ed83c0ab0d188cd205eb9f16b2115088c70c900
                                            • Opcode Fuzzy Hash: 10e2c95deb48a9fa91c132fa6e8d2868e379d5a6b0bea3614ebc36bd565de11c
                                            • Instruction Fuzzy Hash: D9D012A5F16B4182DB68DF656C411292BD1FF98B84F8581B8EA4EC3321FE3C9215D900
                                            Function 00007FF69486FE40 Relevance: 2.6, APIs: 2, Instructions: 86memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 81eb4f473b5f6baa680c7093f92d2b26f8a37406559a141903ec7adff4e5ed1f
                                            • Instruction ID: 71feba9aed235562a3f082bd5db9b2aab5bd409f1cf38c1dcf3eb4ee40eed318
                                            • Opcode Fuzzy Hash: 81eb4f473b5f6baa680c7093f92d2b26f8a37406559a141903ec7adff4e5ed1f
                                            • Instruction Fuzzy Hash: CF318F32B15B6182EA659B16A68013A73E4EB49FD4F04C179DF4C97B95EF38E862C340
                                            Function 00007FF6948728F0 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: Virtual$AllocFree
                                            • String ID:
                                            • API String ID: 2087232378-0
                                            • Opcode ID: 39155d9e0f21e472d4726bd40e7b7375b22274d9dbcec4a77f59ee3cc5932518
                                            • Instruction ID: 8e444e5190c711d79790aadb55e076a83633547c0faf6f560e0276ed83b0b3b6
                                            • Opcode Fuzzy Hash: 39155d9e0f21e472d4726bd40e7b7375b22274d9dbcec4a77f59ee3cc5932518
                                            • Instruction Fuzzy Hash: 5CE0C234F1B10182FB299B26B8C1A282791AF4DB01FD4C0B8C50E83350DE3DA69ADF50
                                            Function 00007FF69487744E Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: BreakDebug
                                            • String ID:
                                            • API String ID: 456121617-0
                                            • Opcode ID: 7460946a867b334da87abb833cff141128d26cc53670839ff519a9e4497aa03f
                                            • Instruction ID: ba8d5564c73e9b6f4240298cf5de60c5d2a5703eb794f23dffac4f101d295b3d
                                            • Opcode Fuzzy Hash: 7460946a867b334da87abb833cff141128d26cc53670839ff519a9e4497aa03f
                                            • Instruction Fuzzy Hash: 6741BF72F0CA4242FA708B1195E15B92395EB94BA0F5482B2DA6DA77D9DF3CE841C740
                                            Function 00007FF694865920 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ExceptionFailFastQueryRaiseVirtual
                                            • String ID:
                                            • API String ID: 3307674043-0
                                            • Opcode ID: 1eb33025fcb74d676cc7358ae85899384f83db43159bf41c0ac61a9e8579e1b9
                                            • Instruction ID: 2bb394cac7c6c285616ca2aac184a40dbc094bff5721f7679497a2bf5a55238b
                                            • Opcode Fuzzy Hash: 1eb33025fcb74d676cc7358ae85899384f83db43159bf41c0ac61a9e8579e1b9
                                            • Instruction Fuzzy Hash: A9115A72A0878182DB64AB25B5411AAB360FB457B1F148379E6BE877D6DF38D442C700

                                            Non-executed Functions

                                            Function 00007FF694872C50 Relevance: 111.8, Strings: 89, Instructions: 525COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCWriteBarrier$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
                                            • API String ID: 0-658696054
                                            • Opcode ID: ecde77bb0a1b3d580a77b2a7b2ab0705610edb5cdae39382ac81189c20de0c64
                                            • Instruction ID: 6c73631a7c2d91645e17bdc1d837c0d0fd32ecdb0006b8263cd535f472710ad1
                                            • Opcode Fuzzy Hash: ecde77bb0a1b3d580a77b2a7b2ab0705610edb5cdae39382ac81189c20de0c64
                                            • Instruction Fuzzy Hash: D2326171A08B9A82EB709B15F990AA973A4FF597C9F519172E98C47F28DF3CD201C704
                                            Function 00007FF694873910 Relevance: 102.8, Strings: 82, Instructions: 270COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
                                            • API String ID: 0-2080704861
                                            • Opcode ID: 13c2ff06cb6ee55de0b396958020aa07f0a51e79af96dec23aaa6c9b6e43138c
                                            • Instruction ID: a3d1f9fa68b9e33f51f8721db2da62224d50fd4eac40fe735a9b819cf534e421
                                            • Opcode Fuzzy Hash: 13c2ff06cb6ee55de0b396958020aa07f0a51e79af96dec23aaa6c9b6e43138c
                                            • Instruction Fuzzy Hash: 65F1A4A0E29987A0FBA1DB55EDD10F03765EF94355BA4C4B7E00DD21BAAE3CE249C350
                                            Function 00007FF694872A80 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
                                            • String ID: SeLockMemoryPrivilege
                                            • API String ID: 1752251271-475654710
                                            • Opcode ID: ddb9acfd945d833e265492e35a954827198e86c4bc086900fbe4fb1499a4b753
                                            • Instruction ID: 5fdf7c053b0a63fd25a112ba13a3632715efc9406de5856d2d5dd7a777cf4b05
                                            • Opcode Fuzzy Hash: ddb9acfd945d833e265492e35a954827198e86c4bc086900fbe4fb1499a4b753
                                            • Instruction Fuzzy Hash: 4631B431B0EB4285FB308F61B59427A67A1FF84B84F1480B5EA4E87759DE3CD444C740
                                            Function 00007FF6948680B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON
                                            Download Yara Rule
                                            APIs
                                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF694868A70,?,?,?,?,?,?,?,?,?), ref: 00007FF69486813B
                                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF694868A70,?,?,?,?,?,?,?,?,?), ref: 00007FF69486829A
                                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF694868A70,?,?,?,?,?,?,?,?,?), ref: 00007FF694868390
                                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF694868A70,?,?,?,?,?,?,?,?,?), ref: 00007FF6948683A6
                                            • RaiseFailFastException.KERNEL32(?,?,00000000,00000000,00000000,?,00007FF694868A70,?,?,?,?,?,?,?,?,?), ref: 00007FF694868406
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ExceptionFailFastRaise
                                            • String ID: [ KeepUnwinding ]
                                            • API String ID: 2546344036-400895726
                                            • Opcode ID: ccef75ce2b4fd517aeb3d753c38118d6ca4b9bf99982452ca9f0cb54815e2628
                                            • Instruction ID: 19c1c3c6519afb807ca814af30972e9918e1166982ae06ed10e62e2db1d5ea25
                                            • Opcode Fuzzy Hash: ccef75ce2b4fd517aeb3d753c38118d6ca4b9bf99982452ca9f0cb54815e2628
                                            • Instruction Fuzzy Hash: 3FC1A47261AB4281EBB5CF25E5D16A933A1FB04B4CF588176CE0D8B398DF39E496C310
                                            Function 00007FF6948C955C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: efb2c1910f7fe4eb1fdb9db6ef462f9c960acadc62b879df81811dfe8f91f112
                                            • Instruction ID: 51ebfe256c84d1f7a402940730fbfabdc4247466635711707f6ffd67e831d403
                                            • Opcode Fuzzy Hash: efb2c1910f7fe4eb1fdb9db6ef462f9c960acadc62b879df81811dfe8f91f112
                                            • Instruction Fuzzy Hash: 23115A36B15F018AEF10CF60E8942B833A4FB19798F040E71EA6D827A8DF78D554C340
                                            Function 00007FF694865410 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • The required instruction sets are not supported by the current CPU., xrefs: 00007FF69486570E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ExceptionFailFastRaise
                                            • String ID: The required instruction sets are not supported by the current CPU.
                                            • API String ID: 2546344036-3318624164
                                            • Opcode ID: ab07537777515488e9e8f57eef12ca18558389b5460dfc982353195e4352bf6a
                                            • Instruction ID: bdc6accb6333453941b3169d32a3bad172457502611e978adce5c3909ad8d373
                                            • Opcode Fuzzy Hash: ab07537777515488e9e8f57eef12ca18558389b5460dfc982353195e4352bf6a
                                            • Instruction Fuzzy Hash: 09715EB4A3823B4AFBB84F19A5CD5353791EF21391F9095B8D409DBA95DE2DF810CA00
                                            Function 00007FF69488DE20 Relevance: 2.0, APIs: 1, Instructions: 456COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: BreakCounterCreateDebugEventPerformanceQuery
                                            • String ID:
                                            • API String ID: 4239280443-0
                                            • Opcode ID: 252cd89e4528406686be57cf00f60d5450300994312d88c791e533677183f503
                                            • Instruction ID: 01978506e3fd90cde0b4cdd2ab623767324a82eb97d984438b67fe00e3977375
                                            • Opcode Fuzzy Hash: 252cd89e4528406686be57cf00f60d5450300994312d88c791e533677183f503
                                            • Instruction Fuzzy Hash: C5420831D18B4285FBA0CB24B9D027533A4FF59785F20D2B9D99DA2769EF3CA1A1D340
                                            Function 00007FF6948919F0 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 3af64f1d3e18b5226ba85596036ff583db5a1ecd88759b32c0d3579c6f4f138e
                                            • Instruction ID: cf487aab9a317fb5b0564f3207901b3f79c9c1a5a063caf5edcddc4a63a4f6f8
                                            • Opcode Fuzzy Hash: 3af64f1d3e18b5226ba85596036ff583db5a1ecd88759b32c0d3579c6f4f138e
                                            • Instruction Fuzzy Hash: 2752C032B09F8686EE748F05E99427973A1FB447A5F148675CA6E877A8DF3DE450C300
                                            Function 00007FF69487E4E0 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ?
                                            • API String ID: 0-1684325040
                                            • Opcode ID: 1fe4063cd8a7627479a9be527d78d8baf63d271df9d58fc4a7a5da7ffb6242fc
                                            • Instruction ID: 954c33e62521fc29c1bf3cee85cf669091ca74a58731bb20c8b49f3a9b9d2435
                                            • Opcode Fuzzy Hash: 1fe4063cd8a7627479a9be527d78d8baf63d271df9d58fc4a7a5da7ffb6242fc
                                            • Instruction Fuzzy Hash: 1B12D032B1CA8682EA20CB05E6907B973A5FB54B98F148275DE5D87BD8DF3CE451C740
                                            Function 00007FF6948928F0 Relevance: .9, Instructions: 945COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fbbfacb1d8f9f6609acfa47c3662894f093c3c4e861cb0b99195e5338392d3b5
                                            • Instruction ID: 39750c3b139fdd1a63ee3d6f1e5c0dca7fb03a432f45d73872ee58530bfdf6b5
                                            • Opcode Fuzzy Hash: fbbfacb1d8f9f6609acfa47c3662894f093c3c4e861cb0b99195e5338392d3b5
                                            • Instruction Fuzzy Hash: 8792EE61E19F4685EEA5CB15AAD46B463A1FF48BC5F24C2B6D80ED3364DE3EE485C300
                                            Function 00007FF6948937F0 Relevance: .6, Instructions: 626COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb0bdc50d0a79732d1fbaaf7e6b7a9e629728ad14d5191bc8c1cbe51083c7122
                                            • Instruction ID: 1080491b7874cd72da2b9f6bb147bc530179b120cc1046cf133049ec4437e0d9
                                            • Opcode Fuzzy Hash: bb0bdc50d0a79732d1fbaaf7e6b7a9e629728ad14d5191bc8c1cbe51083c7122
                                            • Instruction Fuzzy Hash: 33428B72B08F4686EB208F65E5802AD77B1FB48BC8F148576EE4E97B58CE39E451C700
                                            Function 00007FF694894160 Relevance: .6, Instructions: 583COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1fb2c77b25ed1ccfa3b74ae9a7e59123a7fd091295756a8848aa9ea6743a7ee8
                                            • Instruction ID: 2788ec6acfa05cac7e901795479abf7e6665267d7cc7e21247df57f26354bd82
                                            • Opcode Fuzzy Hash: 1fb2c77b25ed1ccfa3b74ae9a7e59123a7fd091295756a8848aa9ea6743a7ee8
                                            • Instruction Fuzzy Hash: 7F32A172F0DB458AEB70CFA5D6806BC27A1FB05B88B148576CE1DA7B98CE39E455C340
                                            Function 00007FF69487FF90 Relevance: .4, Instructions: 432COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 874d07d0b63e12727b284f3094aca6d283b2919d332a0d816e76fe305952f5ec
                                            • Instruction ID: 7f82b47877ac0bbed1c132ed308721e55a851e0c984b3f1113a7bcb2e60b2a6e
                                            • Opcode Fuzzy Hash: 874d07d0b63e12727b284f3094aca6d283b2919d332a0d816e76fe305952f5ec
                                            • Instruction Fuzzy Hash: B202C372B28A8686EA648F59E59067937A0FB42BA8F51C371CA7D977D5CF3CE441C300
                                            Function 00007FF69487F9E4 Relevance: .4, Instructions: 357COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CounterPerformanceQuery
                                            • String ID:
                                            • API String ID: 2783962273-0
                                            • Opcode ID: e816d686233bc00fa271f6222e436da18f7514f741235fe5f6e969e94f8297b3
                                            • Instruction ID: be7a532c06e96cb472401207a7858947a564df0c2c06f43a9dcc46efb4c11f77
                                            • Opcode Fuzzy Hash: e816d686233bc00fa271f6222e436da18f7514f741235fe5f6e969e94f8297b3
                                            • Instruction Fuzzy Hash: 84028F32F1EB4685EEB2CB2596E037427A1EF85748F24C2B5CA4D97795DF2DE481C200
                                            Function 00007FF694898BC0 Relevance: .3, Instructions: 332COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1234fb6fc9fdbe2454c2e37c2c00e3cb25b3c3dd0762fcc38499df4434799227
                                            • Instruction ID: 1f01d29b2d5c0552b9c6c4a5ba03545fc9b667bdb4039e3d8bb3cff8c36a011d
                                            • Opcode Fuzzy Hash: 1234fb6fc9fdbe2454c2e37c2c00e3cb25b3c3dd0762fcc38499df4434799227
                                            • Instruction Fuzzy Hash: 3AE1D272A19B4686EFA18B15E98037877E1FB44B85F1496BAC90EC33A4DF3DE085C701
                                            Function 00007FF694914160 Relevance: .3, Instructions: 273COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 453bf3b22287000f81a5ec2596a3fa4ef9a653b6828c08814b5912e62688ddc6
                                            • Instruction ID: 8e30aed036d3859700ca88a2a14bf6f90297aa519c425fe91e60a4a96d83ffdf
                                            • Opcode Fuzzy Hash: 453bf3b22287000f81a5ec2596a3fa4ef9a653b6828c08814b5912e62688ddc6
                                            • Instruction Fuzzy Hash: DCB1B132A0D65186E774CB16A58077A67E5EB8DB94F10C071EA8D87B9ADF3CD482CB00
                                            Function 00007FF694888AB0 Relevance: .3, Instructions: 273COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e81833f11647e4d4ec49dfadb2e7185eedecc70ecef5022b32c5d3ead13eb584
                                            • Instruction ID: a6460664675c506ef5c757d77274f084e2349b20476fafa0dcfb4cdc226193b7
                                            • Opcode Fuzzy Hash: e81833f11647e4d4ec49dfadb2e7185eedecc70ecef5022b32c5d3ead13eb584
                                            • Instruction Fuzzy Hash: 59C1A072A19A4682EEA0CF05E9D423877A1FB44BA1F5482B5C96DC7B98DF3CE452C344
                                            Function 00007FF694892480 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d39069bb3f1b925de6bb941b57d05fde1f5ae2aeb21a7ffe6707880de4ef7fdb
                                            • Instruction ID: aa5973deedf4a7266a27b45ecbfc7292f2d5c9ee47e09f158c1f1075f1c90f81
                                            • Opcode Fuzzy Hash: d39069bb3f1b925de6bb941b57d05fde1f5ae2aeb21a7ffe6707880de4ef7fdb
                                            • Instruction Fuzzy Hash: D4C1CE32A19F8682EEA4CF05E99417873A1FB44BA1F5486B6D96DD77A8DF3DE050C300
                                            Function 00007FF694876BB6 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 698b1eb0f12bb360d32be34a2578f2072ee67adb90f2d36c13fcef9792f4541b
                                            • Instruction ID: a898921954a69d5a2f82b251500206e0321443516511137e58fce326bb932f0d
                                            • Opcode Fuzzy Hash: 698b1eb0f12bb360d32be34a2578f2072ee67adb90f2d36c13fcef9792f4541b
                                            • Instruction Fuzzy Hash: 87914B72A1DB8285EAB09B15E9D03A933E4FB89795F6081B9D98DD3765EF3CE041C700
                                            Function 00007FF694888F30 Relevance: .2, Instructions: 171COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db1fbb49aca1fc5293637b942dc58e3bd9f3bdc412a1f0a433097ebfc995b2ff
                                            • Instruction ID: d5d16a7f22acaecb517f747f3e44cc371a399d1f985c2f0c6107caedaae72303
                                            • Opcode Fuzzy Hash: db1fbb49aca1fc5293637b942dc58e3bd9f3bdc412a1f0a433097ebfc995b2ff
                                            • Instruction Fuzzy Hash: DC51B521F1A74E41E926877A52816795152EF5A7C0E1CCF71DA1EB6791FF2EF081C600
                                            Function 00007FF69488F550 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: 47a731730c54ca9cb58249242bd6d1539e37c2f7b44236d311f769d44744098d
                                            • Instruction ID: 252a0bda4b7e98edfacd11233ee695fc58f3a28d0d88e6e9228b9a7a479ffab5
                                            • Opcode Fuzzy Hash: 47a731730c54ca9cb58249242bd6d1539e37c2f7b44236d311f769d44744098d
                                            • Instruction Fuzzy Hash: 8621D762B2864242EBF4CB39A3D667E1350EF89780F54A171EF2C83B86DD19D891CA04
                                            Function 00007FF69486AB80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
                                            • String ID: InitializeContext2$kernel32.dll
                                            • API String ID: 4102459504-3117029998
                                            • Opcode ID: ae908663245adc436bddbdeaeefb791612a2dcc4c0698f10f7af4653a4f5a060
                                            • Instruction ID: e2f6cbe351e6f53f4036da727a43fb60fcea81b2288deae7a839ad50973bfbdc
                                            • Opcode Fuzzy Hash: ae908663245adc436bddbdeaeefb791612a2dcc4c0698f10f7af4653a4f5a060
                                            • Instruction Fuzzy Hash: 9231A335A19B8682FB618F51B68023AB390FF84795F4485B1DD4D83BA8DF7CE546C710
                                            Function 00007FF694865EA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: Thread$AddressContextErrorLastLibraryLoadProcResumeSuspend
                                            • String ID: QueueUserAPC2$kernel32
                                            • API String ID: 3714266957-4022151419
                                            • Opcode ID: 2c927c7249ad306362750963f21d316bcf2fc60d905bd8730f4bf37492db24bc
                                            • Instruction ID: 147e5d8a704f15906f50fe23e85f5792f9dbceaeb350302ec8df7c091f932f56
                                            • Opcode Fuzzy Hash: 2c927c7249ad306362750963f21d316bcf2fc60d905bd8730f4bf37492db24bc
                                            • Instruction Fuzzy Hash: EE319E70B18A4281EAB08B15EAD43B93391EF55BA4F5083B4ED6EC6BD5DF2CE406C740
                                            Function 00007FF69487DBE0 Relevance: 10.7, APIs: 7, Instructions: 227threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: SwitchThread
                                            • String ID:
                                            • API String ID: 115865932-0
                                            • Opcode ID: c13f5500ea1206e8ec5f05ebe3918e2a796096b40ac2d42ce93c8136b207df3a
                                            • Instruction ID: 89bebdbbe47e1cd75391c80010f1256303c3afafcdcd2e10de834750200ac8ef
                                            • Opcode Fuzzy Hash: c13f5500ea1206e8ec5f05ebe3918e2a796096b40ac2d42ce93c8136b207df3a
                                            • Instruction Fuzzy Hash: A0A16E31F1D20386FBB09B25AAE067527D5EF60759F24C2B4E81DC66D9DE2DF840D601
                                            Function 00007FF6948662A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
                                            • String ID:
                                            • API String ID: 510365852-3916222277
                                            • Opcode ID: aac18b405e8186b4baee27d6e985e552b0b39ad9a33c4f5303744330f0df3245
                                            • Instruction ID: 2f08a624a196d7785f186b9dd5a73cbed08acb07572cd024374e0e786ed8f425
                                            • Opcode Fuzzy Hash: aac18b405e8186b4baee27d6e985e552b0b39ad9a33c4f5303744330f0df3245
                                            • Instruction Fuzzy Hash: DA118E72608B818ADB60EF29B58019A7360FB457B4F144335E6BD8BBD6CF78D482C700
                                            Function 00007FF69488D600 Relevance: 9.2, APIs: 6, Instructions: 189threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: SwitchThread
                                            • String ID:
                                            • API String ID: 115865932-0
                                            • Opcode ID: 01a89e310edcfaae1fb5271710d384d3bec56e2db4509541efe95d0668bf02e1
                                            • Instruction ID: 4a7889cf929f172616e7ffa97d8beb93d3ca0588c4e409e49f3e9b9e1b252903
                                            • Opcode Fuzzy Hash: 01a89e310edcfaae1fb5271710d384d3bec56e2db4509541efe95d0668bf02e1
                                            • Instruction Fuzzy Hash: D9811531F1820747FBB4AB29AAC063632D0EF44795F2482B8D96DC67D9DE2DF840DA40
                                            Function 00007FF69488A150 Relevance: 9.2, APIs: 6, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4925265d335df46503082d2c1781a34d3e0d223418845ac7cdcc66a46ba4cbf
                                            • Instruction ID: 3844696eb1165c4637a0424d92ad8dcd4aa7a062a805ea196a8a05a13f6da48b
                                            • Opcode Fuzzy Hash: a4925265d335df46503082d2c1781a34d3e0d223418845ac7cdcc66a46ba4cbf
                                            • Instruction Fuzzy Hash: FF719B31B0D64292EAB09B65A7D037962A0FF50B94F1886B5DE2D87BDADF3CE410C300
                                            Function 00007FF69488FAE0 Relevance: 7.8, APIs: 6, Instructions: 317COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: fdd8821be70e8f4af1b4b7b20535a1b3b8966f9a60369030a749fb4c51b42ef3
                                            • Instruction ID: 11ab6289ca0e3500f5fb2c374d95eb380335d808e3bed788e8bf95f56b692264
                                            • Opcode Fuzzy Hash: fdd8821be70e8f4af1b4b7b20535a1b3b8966f9a60369030a749fb4c51b42ef3
                                            • Instruction Fuzzy Hash: F7E1DF72B19A5685DA648F65EA94AB823A1FF047E4F508372DA3DD7BD8DF38E015C300
                                            Function 00007FF694863680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ExceptionFailFastRaise
                                            • String ID: Process is terminating due to StackOverflowException.
                                            • API String ID: 2546344036-2200901744
                                            • Opcode ID: fe34fe60a8b53b133f424caca37e213f3d652fd43d92ea617847fbec9e1bc9e9
                                            • Instruction ID: 329e424b1711a6fa3370be2c4e0aeb13cc643986896c45944c60cd3fe589f14e
                                            • Opcode Fuzzy Hash: fe34fe60a8b53b133f424caca37e213f3d652fd43d92ea617847fbec9e1bc9e9
                                            • Instruction Fuzzy Hash: 67518365A29A4681EFB49B1AE6C02B83390EF49B94F14C1B2DA1EC7795DF2CE495C300
                                            Function 00007FF6948A2FB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,?,0000021720C00000,00007FF6948A30AD,?,?,00000000,00007FF69488FA9C,?,FFFFFFFF,47AE147AE147AE15,00007FF69487964C), ref: 00007FF6948A3002
                                            • GetProcAddress.KERNEL32(?,?,?,?,0000021720C00000,00007FF6948A30AD,?,?,00000000,00007FF69488FA9C,?,FFFFFFFF,47AE147AE147AE15,00007FF69487964C), ref: 00007FF6948A301C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetEnabledXStateFeatures$kernel32.dll
                                            • API String ID: 2574300362-4754247
                                            • Opcode ID: 0d1bad6a7b8d3c1afb901e75ce55123fadd1554c836fe95c377a29b41be358a4
                                            • Instruction ID: ad36643dbb73a198d4589f60c74d9f2179299c63f3aa5924d83d54a27089afc4
                                            • Opcode Fuzzy Hash: 0d1bad6a7b8d3c1afb901e75ce55123fadd1554c836fe95c377a29b41be358a4
                                            • Instruction Fuzzy Hash: E721DF52F2D65242FFB89769E2953791381DF187A0F84C0BAE90EC2BC9DD9DE980C700
                                            Function 00007FF69486B1D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetEnabledXStateFeatures$kernel32
                                            • API String ID: 2574300362-4273408117
                                            • Opcode ID: 532f177c9a3abf93edbeefab53f090ab908d42bf1be2dcd3b1f8b265f2863a08
                                            • Instruction ID: 24f8804ba3914c0a852d4f619a308ef878184d82b9fe752d5efe2dc40928c114
                                            • Opcode Fuzzy Hash: 532f177c9a3abf93edbeefab53f090ab908d42bf1be2dcd3b1f8b265f2863a08
                                            • Instruction Fuzzy Hash: C8E08614F2B65281FF645F9198C52B92390FFA9700FC8C4F4C80E82395EE3CA64AD700
                                            Function 00007FF69486B180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetEnabledXStateFeatures$kernel32
                                            • API String ID: 2574300362-4273408117
                                            • Opcode ID: d9ff822428f1893a5703cac88901d505093234beacf457cec68585e3c479c2ba
                                            • Instruction ID: b6da8280678a25772559fdda41c14c6b97794ea42faa24254ba5e6b1b4d259fe
                                            • Opcode Fuzzy Hash: d9ff822428f1893a5703cac88901d505093234beacf457cec68585e3c479c2ba
                                            • Instruction Fuzzy Hash: 59E0BF18F1BA5291FF659B9158C11742355EF59740F98C4F4C81E81354DE2CA659DB10
                                            Function 00007FF69489E8F0 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: SwitchThread
                                            • String ID:
                                            • API String ID: 115865932-0
                                            • Opcode ID: 669846d24bbda5f65c578a588012ee14f3413299c3a7e3c496bd00c502c477b6
                                            • Instruction ID: ab8e292639a42c57ce56d06f812a4d108067781fd4d8177af0644b2bb961376f
                                            • Opcode Fuzzy Hash: 669846d24bbda5f65c578a588012ee14f3413299c3a7e3c496bd00c502c477b6
                                            • Instruction Fuzzy Hash: F941B432B1995681EBB58B25C2C013D6A90EB04F94F24D57ED64EC6FC9DE3EE841C741
                                            Function 00007FF694881BED Relevance: 6.1, APIs: 4, Instructions: 119threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: SwitchThread
                                            • String ID:
                                            • API String ID: 115865932-0
                                            • Opcode ID: ea4baac3568b8008df20d653752b465ece59447f5b54120d8eb719c92615070f
                                            • Instruction ID: 2e423081c779009a559062153cd080862bec3fb1736cb7cc552c79c47b34d549
                                            • Opcode Fuzzy Hash: ea4baac3568b8008df20d653752b465ece59447f5b54120d8eb719c92615070f
                                            • Instruction Fuzzy Hash: D251D230F1D2034AFBB49B299AC167522D5EF14759F24C1B8E92DC22D6EF2DF840D601
                                            Function 00007FF69489F060 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: BreakDebug
                                            • String ID:
                                            • API String ID: 456121617-0
                                            • Opcode ID: 21388db3ff23c23bfe290b02463c8e984ea9257b12978aae731d96e3086609a7
                                            • Instruction ID: a20e50918bf2acef2b15faeb1e7bc895eca80a5178caf16123d6ab888a92fb40
                                            • Opcode Fuzzy Hash: 21388db3ff23c23bfe290b02463c8e984ea9257b12978aae731d96e3086609a7
                                            • Instruction Fuzzy Hash: 8541B022B0DE4591EA7A9B51E3803796AE8EF44B98F1980B5DF4C87395DF7EE481C340
                                            Function 00007FF69488D200 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: BreakDebug
                                            • String ID:
                                            • API String ID: 456121617-0
                                            • Opcode ID: a762ba7bdb9e68b543346d8befee5f14f7d2aaaa5ecc6a7732aa10b9ae04d0ef
                                            • Instruction ID: b1f3cf8b5c812ad78396df4dc7b3543fc78b8090bea43e63669e3f15b2fa7a57
                                            • Opcode Fuzzy Hash: a762ba7bdb9e68b543346d8befee5f14f7d2aaaa5ecc6a7732aa10b9ae04d0ef
                                            • Instruction Fuzzy Hash: D9319022A19B4683EA759F55A2C03B9B7E4EF45B98F1880B4DE5D87795DF7CE840C300
                                            Function 00007FF69486AD00 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF694866431), ref: 00007FF69486AD34
                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF694866431), ref: 00007FF69486AD3E
                                            • CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF694866431), ref: 00007FF69486AD5D
                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF694866431), ref: 00007FF69486AD71
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ErrorLastMultipleWait$HandlesObjects
                                            • String ID:
                                            • API String ID: 2817213684-0
                                            • Opcode ID: 1b63c40e6d013145cedae492ad8f21b5e2360a6dd9ad6664cb5addbe83128acf
                                            • Instruction ID: 92fcb2d671b991fb96b20275d5514509f86508d6e7f18fa7866e71f9d7a3d315
                                            • Opcode Fuzzy Hash: 1b63c40e6d013145cedae492ad8f21b5e2360a6dd9ad6664cb5addbe83128acf
                                            • Instruction Fuzzy Hash: 7C11A031B1CA5582E7744B1AB58052AB7A0FB45791F148279FACE87BA9CF7CE840CB40
                                            Function 00007FF6948CA8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6948C9A6B), ref: 00007FF6948CA930
                                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6948C9A6B), ref: 00007FF6948CA971
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: aa4e29ff740041cbb66bd2c147c1e0abea6c0f4e7f03852bd6b62dcdd7bd4198
                                            • Instruction ID: 65bfba4fd529c64c8ebe018a33071b1b9d34cf22668733a3c2232c1b4ed0d8a1
                                            • Opcode Fuzzy Hash: aa4e29ff740041cbb66bd2c147c1e0abea6c0f4e7f03852bd6b62dcdd7bd4198
                                            • Instruction Fuzzy Hash: 42115B32618B8582EB218F15E580269B7E4FB88B94F198270EF9D47B59DF3CD955CB00
                                            Function 00007FF694891660 Relevance: 5.1, APIs: 4, Instructions: 112COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF69487D516,?,-8000000000000000,00000001,00007FF69488C6D6), ref: 00007FF6948916EA
                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF69487D516,?,-8000000000000000,00000001,00007FF69488C6D6), ref: 00007FF694891759
                                            • EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF69487D516,?,-8000000000000000,00000001,00007FF69488C6D6), ref: 00007FF6948917A2
                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00007FF69487D516,?,-8000000000000000,00000001,00007FF69488C6D6), ref: 00007FF6948917B8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: fa8dc7cbf7cf060cfb14899e70fb8a95188bcdfbfc5a069442a73c28387b65d9
                                            • Instruction ID: c1240dac82e5e9807e20542b91a36672d91b541359f5500bbe70a573f4dabab2
                                            • Opcode Fuzzy Hash: fa8dc7cbf7cf060cfb14899e70fb8a95188bcdfbfc5a069442a73c28387b65d9
                                            • Instruction Fuzzy Hash: BB516A71A4CA4291FA718B10EAD43B473A0FB45794F6882B2DA5DD3AA9CF3DE955C300
                                            Function 00007FF694883E10 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF694883F8F,?,?,?,00007FF69489025A), ref: 00007FF694883E5A
                                            • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF694883F8F,?,?,?,00007FF69489025A), ref: 00007FF694883E9C
                                            • EnterCriticalSection.KERNEL32(?,?,00000000,00007FF694883F8F,?,?,?,00007FF69489025A), ref: 00007FF694883EC7
                                            • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF694883F8F,?,?,?,00007FF69489025A), ref: 00007FF694883EE8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2100138387.00007FF694861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF694860000, based on PE: true
                                            • Associated: 00000000.00000002.2100123431.00007FF694860000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100213584.00007FF69499B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100246096.00007FF6949FB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694AC7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100312832.00007FF694ACC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2100365809.00007FF694ACF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff694860000_Shipping documents PO 16103 INV.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID:
                                            • API String ID: 3168844106-0
                                            • Opcode ID: a4be4a2250a951387a8d0b8575f6a78233bd2b07f59a0f4c7d2840ed43a5680b
                                            • Instruction ID: be661a5266c8f9e6f35f40dfa0d39097aed4cad944fdd242104f474d2000c9f2
                                            • Opcode Fuzzy Hash: a4be4a2250a951387a8d0b8575f6a78233bd2b07f59a0f4c7d2840ed43a5680b
                                            • Instruction Fuzzy Hash: 872121B1E5890681EEB19B24E9D83B422B0FF143A1F5883B5C52DC16E9DF3DE595C300

                                            Execution Graph

                                            Execution Coverage:5.2%
                                            Dynamic/Decrypted Code Coverage:7.1%
                                            Signature Coverage:5.3%
                                            Total number of Nodes:1877
                                            Total number of Limit Nodes:55
                                            execution_graph 52891 4165a0 52902 401e65 52891->52902 52893 4165b0 52907 4020f6 52893->52907 52896 401e65 22 API calls 52897 4165c6 52896->52897 52898 4020f6 28 API calls 52897->52898 52899 4165d1 52898->52899 52913 41292a 52899->52913 52903 401e6d 52902->52903 52904 401e75 52903->52904 52932 402158 22 API calls 52903->52932 52904->52893 52908 40210c 52907->52908 52933 4023ce 52908->52933 52910 402126 52937 402569 52910->52937 52912 402134 52912->52896 52985 40482d 52913->52985 52915 41293e 52992 4048c8 connect 52915->52992 52919 41295f 53057 402f10 52919->53057 52928 401fd8 11 API calls 52929 412991 52928->52929 52930 401fd8 11 API calls 52929->52930 52931 412999 52930->52931 52934 402428 52933->52934 52935 4023d8 52933->52935 52934->52910 52935->52934 52947 4027a7 52935->52947 52958 402888 52937->52958 52939 40257d 52940 402592 52939->52940 52941 4025a7 52939->52941 52963 402a34 22 API calls 52940->52963 52965 4028e8 52941->52965 52944 40259b 52964 4029da 22 API calls 52944->52964 52946 4025a5 52946->52912 52948 402e21 52947->52948 52951 4016b4 52948->52951 52950 402e30 52950->52934 52952 4016cb 52951->52952 52956 4016c6 52951->52956 52953 4016f3 52952->52953 52952->52956 52953->52950 52955 43bd18 52957 43bd19 11 API calls _Atexit 52956->52957 52957->52955 52959 402890 52958->52959 52960 402898 52959->52960 52976 402ca3 22 API calls 52959->52976 52960->52939 52963->52944 52964->52946 52966 4028f1 52965->52966 52967 402953 52966->52967 52968 4028fb 52966->52968 52983 4028a4 22 API calls 52967->52983 52971 402904 52968->52971 52973 402917 52968->52973 52977 402cae 52971->52977 52974 402915 52973->52974 52975 4023ce 11 API calls 52973->52975 52974->52946 52975->52974 52978 402cb8 __EH_prolog 52977->52978 52984 402e54 22 API calls 52978->52984 52980 4023ce 11 API calls 52982 402d92 52980->52982 52981 402d24 52981->52980 52982->52974 52984->52981 52986 404846 socket 52985->52986 52987 404839 52985->52987 52989 404860 CreateEventW 52986->52989 52990 404842 52986->52990 53098 40489e WSAStartup 52987->53098 52989->52915 52990->52915 52991 40483e 52991->52986 52991->52990 52993 404a1b 52992->52993 52994 4048ee 52992->52994 52995 404a21 WSAGetLastError 52993->52995 53045 40497e 52993->53045 52996 404923 52994->52996 52994->53045 53099 40531e 52994->53099 52997 404a31 52995->52997 52995->53045 53134 420c60 27 API calls 52996->53134 52998 404932 52997->52998 52999 404a36 52997->52999 53008 402093 28 API calls 52998->53008 53139 41cae1 30 API calls 52999->53139 53003 40492b 53003->52998 53007 404941 53003->53007 53004 40490f 53104 402093 53004->53104 53006 404a40 53140 4052fd 28 API calls 53006->53140 53017 404950 53007->53017 53018 404987 53007->53018 53011 404a80 53008->53011 53014 402093 28 API calls 53011->53014 53015 404a8f 53014->53015 53019 41b4ef 80 API calls 53015->53019 53022 402093 28 API calls 53017->53022 53136 421a40 54 API calls 53018->53136 53019->53045 53025 40495f 53022->53025 53024 40498f 53027 4049c4 53024->53027 53028 404994 53024->53028 53029 402093 28 API calls 53025->53029 53138 420e06 28 API calls 53027->53138 53032 402093 28 API calls 53028->53032 53033 40496e 53029->53033 53035 4049a3 53032->53035 53034 41b4ef 80 API calls 53033->53034 53036 404973 53034->53036 53039 402093 28 API calls 53035->53039 53135 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53036->53135 53037 4049cc 53038 4049f9 CreateEventW CreateEventW 53037->53038 53040 402093 28 API calls 53037->53040 53038->53045 53041 4049b2 53039->53041 53043 4049e2 53040->53043 53044 41b4ef 80 API calls 53041->53044 53046 402093 28 API calls 53043->53046 53047 4049b7 53044->53047 53052 402f31 53045->53052 53048 4049f1 53046->53048 53137 4210b2 52 API calls 53047->53137 53050 41b4ef 80 API calls 53048->53050 53051 4049f6 53050->53051 53051->53038 53053 4020df 11 API calls 53052->53053 53054 402f3d 53053->53054 53055 4032a0 28 API calls 53054->53055 53056 402f59 53055->53056 53056->52919 53202 401fb0 53057->53202 53059 402f1e 53060 402055 11 API calls 53059->53060 53061 402f2d 53060->53061 53062 404aa1 53061->53062 53063 404ab4 53062->53063 53205 40520c 53063->53205 53065 404ac9 ctype 53066 404b40 WaitForSingleObject 53065->53066 53067 404b20 53065->53067 53069 404b56 53066->53069 53068 404b32 send 53067->53068 53070 404b7b 53068->53070 53211 42103a 54 API calls 53069->53211 53073 401fd8 11 API calls 53070->53073 53072 404b69 SetEvent 53072->53070 53074 404b83 53073->53074 53075 401fd8 11 API calls 53074->53075 53076 404b8b 53075->53076 53077 401fd8 53076->53077 53078 4023ce 11 API calls 53077->53078 53079 401fe1 53078->53079 53080 404c10 53079->53080 53081 4020df 11 API calls 53080->53081 53082 404c27 53081->53082 53083 4020df 11 API calls 53082->53083 53086 404c30 53083->53086 53088 404ca1 53086->53088 53092 401fd8 11 API calls 53086->53092 53229 43bd51 53086->53229 53236 404b96 53086->53236 53242 4020b7 53086->53242 53248 401fe2 53086->53248 53257 404cc3 53086->53257 53270 404e26 WaitForSingleObject 53088->53270 53092->53086 53093 401fd8 11 API calls 53094 404cb1 53093->53094 53095 401fd8 11 API calls 53094->53095 53096 404cba 53095->53096 53096->52928 53098->52991 53141 4020df 53099->53141 53101 40532a 53145 4032a0 53101->53145 53103 405346 53103->53004 53105 40209b 53104->53105 53106 4023ce 11 API calls 53105->53106 53107 4020a6 53106->53107 53149 4024ed 53107->53149 53110 41b4ef 53111 41b5a0 53110->53111 53112 41b505 GetLocalTime 53110->53112 53114 401fd8 11 API calls 53111->53114 53113 40531e 28 API calls 53112->53113 53115 41b547 53113->53115 53116 41b5a8 53114->53116 53160 406383 53115->53160 53118 401fd8 11 API calls 53116->53118 53120 41b5b0 53118->53120 53120->52996 53121 402f10 28 API calls 53122 41b55f 53121->53122 53123 406383 28 API calls 53122->53123 53124 41b56b 53123->53124 53165 407200 77 API calls 53124->53165 53126 41b579 53127 401fd8 11 API calls 53126->53127 53128 41b585 53127->53128 53129 401fd8 11 API calls 53128->53129 53130 41b58e 53129->53130 53131 401fd8 11 API calls 53130->53131 53132 41b597 53131->53132 53133 401fd8 11 API calls 53132->53133 53133->53111 53134->53003 53135->53045 53136->53024 53137->53036 53138->53037 53139->53006 53142 4020e7 53141->53142 53143 4023ce 11 API calls 53142->53143 53144 4020f2 53143->53144 53144->53101 53146 4032aa 53145->53146 53147 4032c9 53146->53147 53148 4028e8 28 API calls 53146->53148 53147->53103 53148->53147 53150 4024f9 53149->53150 53153 40250a 53150->53153 53152 4020b1 53152->53110 53154 40251a 53153->53154 53155 402520 53154->53155 53156 402535 53154->53156 53158 402569 28 API calls 53155->53158 53157 4028e8 28 API calls 53156->53157 53159 402533 53157->53159 53158->53159 53159->53152 53166 4051ef 53160->53166 53162 406391 53170 402055 53162->53170 53165->53126 53167 4051fb 53166->53167 53176 405274 53167->53176 53169 405208 53169->53162 53171 402061 53170->53171 53172 4023ce 11 API calls 53171->53172 53173 40207b 53172->53173 53198 40267a 53173->53198 53177 405282 53176->53177 53178 405288 53177->53178 53179 40529e 53177->53179 53187 4025f0 53178->53187 53180 4052f5 53179->53180 53181 4052b6 53179->53181 53196 4028a4 22 API calls 53180->53196 53184 4028e8 28 API calls 53181->53184 53186 40529c 53181->53186 53184->53186 53186->53169 53188 402888 22 API calls 53187->53188 53189 402602 53188->53189 53190 402672 53189->53190 53191 402629 53189->53191 53197 4028a4 22 API calls 53190->53197 53194 4028e8 28 API calls 53191->53194 53195 40263b 53191->53195 53194->53195 53195->53186 53199 40268b 53198->53199 53200 4023ce 11 API calls 53199->53200 53201 40208d 53200->53201 53201->53121 53203 4025f0 28 API calls 53202->53203 53204 401fbd 53203->53204 53204->53059 53206 405214 53205->53206 53207 4023ce 11 API calls 53206->53207 53208 40521f 53207->53208 53212 405234 53208->53212 53210 40522e 53210->53065 53211->53072 53213 405240 53212->53213 53214 40526e 53212->53214 53215 4028e8 28 API calls 53213->53215 53228 4028a4 22 API calls 53214->53228 53217 40524a 53215->53217 53217->53210 53231 446137 ___crtLCMapStringA 53229->53231 53230 446175 53284 4405dd 20 API calls _Atexit 53230->53284 53231->53230 53233 446160 RtlAllocateHeap 53231->53233 53283 442f80 7 API calls 2 library calls 53231->53283 53233->53231 53234 446173 53233->53234 53234->53086 53237 404ba0 WaitForSingleObject 53236->53237 53238 404bcd recv 53236->53238 53285 421076 54 API calls 53237->53285 53240 404be0 53238->53240 53240->53086 53241 404bbc SetEvent 53241->53240 53243 4020bf 53242->53243 53244 4023ce 11 API calls 53243->53244 53245 4020ca 53244->53245 53246 40250a 28 API calls 53245->53246 53247 4020d9 53246->53247 53247->53086 53249 401ff1 53248->53249 53256 402039 53248->53256 53250 4023ce 11 API calls 53249->53250 53251 401ffa 53250->53251 53252 40203c 53251->53252 53254 402015 53251->53254 53253 40267a 11 API calls 53252->53253 53253->53256 53286 403098 28 API calls 53254->53286 53256->53086 53258 4020df 11 API calls 53257->53258 53268 404cde 53258->53268 53259 404e13 53260 401fd8 11 API calls 53259->53260 53261 404e1c 53260->53261 53261->53086 53262 4041a2 28 API calls 53262->53268 53263 401fe2 28 API calls 53263->53268 53264 401fd8 11 API calls 53264->53268 53265 4020f6 28 API calls 53265->53268 53268->53259 53268->53262 53268->53263 53268->53264 53268->53265 53287 41299f 53268->53287 53331 401fc0 53268->53331 53271 404e40 SetEvent FindCloseChangeNotification 53270->53271 53272 404e57 closesocket 53270->53272 53273 404ca8 53271->53273 53274 404e64 53272->53274 53273->53093 53275 404e7a 53274->53275 53924 4050e4 84 API calls 53274->53924 53277 404e8c WaitForSingleObject 53275->53277 53278 404ece SetEvent CloseHandle 53275->53278 53925 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53277->53925 53278->53273 53280 404e9b SetEvent WaitForSingleObject 53926 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 53280->53926 53282 404eb3 SetEvent CloseHandle CloseHandle 53282->53278 53283->53231 53284->53234 53285->53241 53286->53256 53288 4129b1 53287->53288 53335 4041a2 53288->53335 53291 4020f6 28 API calls 53292 4129d3 53291->53292 53293 4020f6 28 API calls 53292->53293 53294 4129e2 53293->53294 53338 41be1b 53294->53338 53297 412a93 53507 401e8d 53297->53507 53299 401e65 22 API calls 53301 412a02 53299->53301 53303 4020f6 28 API calls 53301->53303 53302 401fd8 11 API calls 53304 412aa5 53302->53304 53305 412a0d 53303->53305 53306 401fd8 11 API calls 53304->53306 53307 401e65 22 API calls 53305->53307 53308 412aad 53306->53308 53309 412a18 53307->53309 53308->53268 53310 4020f6 28 API calls 53309->53310 53311 412a23 53310->53311 53312 401e65 22 API calls 53311->53312 53313 412a2e 53312->53313 53314 4020f6 28 API calls 53313->53314 53315 412a39 53314->53315 53316 401e65 22 API calls 53315->53316 53317 412a44 53316->53317 53318 4020f6 28 API calls 53317->53318 53319 412a4f 53318->53319 53320 401e65 22 API calls 53319->53320 53321 412a5a 53320->53321 53322 4020f6 28 API calls 53321->53322 53323 412a65 53322->53323 53324 401e65 22 API calls 53323->53324 53325 412a73 53324->53325 53326 4020f6 28 API calls 53325->53326 53327 412a7e 53326->53327 53360 412ab4 GetModuleFileNameW 53327->53360 53330 404e26 99 API calls 53330->53297 53332 401fd2 CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 53331->53332 53333 401fc9 53331->53333 53332->53268 53783 415aea 53332->53783 53782 4025e0 28 API calls 53333->53782 53513 40423a 53335->53513 53339 4020df 11 API calls 53338->53339 53359 41be2e 53339->53359 53340 41be9e 53341 401fd8 11 API calls 53340->53341 53342 41bed0 53341->53342 53343 401fd8 11 API calls 53342->53343 53345 41bed8 53343->53345 53344 41bea0 53346 4041a2 28 API calls 53344->53346 53348 401fd8 11 API calls 53345->53348 53349 41beac 53346->53349 53347 4041a2 28 API calls 53347->53359 53350 4129eb 53348->53350 53351 401fe2 28 API calls 53349->53351 53350->53297 53350->53299 53353 41beb5 53351->53353 53352 401fe2 28 API calls 53352->53359 53354 401fd8 11 API calls 53353->53354 53356 41bebd 53354->53356 53355 401fd8 11 API calls 53355->53359 53358 41ce34 28 API calls 53356->53358 53358->53340 53359->53340 53359->53344 53359->53347 53359->53352 53359->53355 53519 41ce34 53359->53519 53361 4020df 11 API calls 53360->53361 53362 412adf 53361->53362 53363 4020df 11 API calls 53362->53363 53364 412aeb 53363->53364 53365 4020df 11 API calls 53364->53365 53387 412af7 53365->53387 53366 41b978 43 API calls 53366->53387 53367 40d9e8 32 API calls 53367->53387 53368 401fd8 11 API calls 53368->53387 53369 40417e 28 API calls 53369->53387 53370 4042fc 84 API calls 53370->53387 53371 40431d 28 API calls 53371->53387 53372 412c1d Sleep 53372->53387 53373 403014 28 API calls 53373->53387 53374 418568 31 API calls 53374->53387 53375 412cbf Sleep 53375->53387 53376 401f09 11 API calls 53376->53387 53377 412d61 Sleep 53377->53387 53378 412dc4 DeleteFileW 53378->53387 53379 41c485 32 API calls 53379->53387 53380 412dfb DeleteFileW 53380->53387 53381 412e4d Sleep 53381->53387 53382 412e37 DeleteFileW 53382->53387 53383 412ec6 53384 401f09 11 API calls 53383->53384 53385 412ed2 53384->53385 53386 401f09 11 API calls 53385->53386 53388 412ede 53386->53388 53387->53366 53387->53367 53387->53368 53387->53369 53387->53370 53387->53371 53387->53372 53387->53373 53387->53374 53387->53375 53387->53376 53387->53377 53387->53378 53387->53379 53387->53380 53387->53381 53387->53382 53387->53383 53391 412e92 Sleep 53387->53391 53389 401f09 11 API calls 53388->53389 53390 412eea 53389->53390 53555 40b904 53390->53555 53392 401f09 11 API calls 53391->53392 53398 412ea2 53392->53398 53394 412efd 53395 4020f6 28 API calls 53394->53395 53397 412f1d 53395->53397 53396 401f09 11 API calls 53396->53398 53561 41322d 53397->53561 53398->53387 53398->53396 53400 412ec4 53398->53400 53400->53390 53403 412f34 53404 412f54 53403->53404 53405 4130a8 53403->53405 53407 41bd1e 28 API calls 53404->53407 53576 41bd1e 53405->53576 53409 412f60 53407->53409 53589 41bb8e 53409->53589 53410 402f31 28 API calls 53412 4130e8 53410->53412 53414 402f10 28 API calls 53412->53414 53417 4130f7 53414->53417 53415 402f31 28 API calls 53416 412faa 53415->53416 53419 402f10 28 API calls 53416->53419 53418 402f10 28 API calls 53417->53418 53420 413103 53418->53420 53421 412fb9 53419->53421 53422 402f10 28 API calls 53420->53422 53423 402f10 28 API calls 53421->53423 53424 413112 53422->53424 53425 412fc8 53423->53425 53426 402f10 28 API calls 53424->53426 53427 402f10 28 API calls 53425->53427 53428 413121 53426->53428 53429 412fd7 53427->53429 53430 402f10 28 API calls 53428->53430 53431 402f10 28 API calls 53429->53431 53432 413130 53430->53432 53433 412fe6 53431->53433 53434 402f10 28 API calls 53432->53434 53435 402f10 28 API calls 53433->53435 53436 41313f 53434->53436 53437 412ff2 53435->53437 53580 402ea1 53436->53580 53439 402f10 28 API calls 53437->53439 53441 412ffe 53439->53441 53443 402ea1 28 API calls 53441->53443 53442 404aa1 61 API calls 53444 413156 53442->53444 53445 41300d 53443->53445 53446 401fd8 11 API calls 53444->53446 53447 402f10 28 API calls 53445->53447 53449 413162 53446->53449 53448 413019 53447->53448 53451 402ea1 28 API calls 53448->53451 53450 401fd8 11 API calls 53449->53450 53452 41316e 53450->53452 53453 413023 53451->53453 53454 401fd8 11 API calls 53452->53454 53455 404aa1 61 API calls 53453->53455 53456 41317a 53454->53456 53457 413030 53455->53457 53458 401fd8 11 API calls 53456->53458 53459 401fd8 11 API calls 53457->53459 53460 413186 53458->53460 53461 413039 53459->53461 53462 401fd8 11 API calls 53460->53462 53463 401fd8 11 API calls 53461->53463 53464 41318f 53462->53464 53465 413042 53463->53465 53466 401fd8 11 API calls 53464->53466 53467 401fd8 11 API calls 53465->53467 53468 413198 53466->53468 53469 41304b 53467->53469 53470 401fd8 11 API calls 53468->53470 53471 401fd8 11 API calls 53469->53471 53472 41309c 53470->53472 53473 413054 53471->53473 53475 401fd8 11 API calls 53472->53475 53474 401fd8 11 API calls 53473->53474 53476 413060 53474->53476 53477 4131aa 53475->53477 53478 401fd8 11 API calls 53476->53478 53480 401f09 11 API calls 53477->53480 53479 41306c 53478->53479 53482 401fd8 11 API calls 53479->53482 53481 4131b6 53480->53481 53483 401fd8 11 API calls 53481->53483 53484 413078 53482->53484 53485 4131c2 53483->53485 53486 401fd8 11 API calls 53484->53486 53487 401fd8 11 API calls 53485->53487 53488 413084 53486->53488 53489 4131ce 53487->53489 53490 401fd8 11 API calls 53488->53490 53491 401fd8 11 API calls 53489->53491 53492 413090 53490->53492 53493 4131da 53491->53493 53494 401fd8 11 API calls 53492->53494 53495 401fd8 11 API calls 53493->53495 53494->53472 53496 4131e6 53495->53496 53497 401fd8 11 API calls 53496->53497 53498 4131f2 53497->53498 53499 401fd8 11 API calls 53498->53499 53500 4131fe 53499->53500 53501 401fd8 11 API calls 53500->53501 53502 41320a 53501->53502 53503 401fd8 11 API calls 53502->53503 53504 413216 53503->53504 53505 401fd8 11 API calls 53504->53505 53506 412a83 53505->53506 53506->53330 53508 402163 53507->53508 53509 40219f 53508->53509 53780 402730 11 API calls 53508->53780 53509->53302 53511 402184 53781 402712 11 API calls std::_Deallocate 53511->53781 53514 404243 53513->53514 53515 4023ce 11 API calls 53514->53515 53516 40424e 53515->53516 53517 402569 28 API calls 53516->53517 53518 4041b5 53517->53518 53518->53291 53520 41ce41 53519->53520 53521 41cea0 53520->53521 53525 41ce51 53520->53525 53522 41ceba 53521->53522 53523 41cfe0 28 API calls 53521->53523 53539 41d146 28 API calls 53522->53539 53523->53522 53526 41ce89 53525->53526 53530 41cfe0 53525->53530 53538 41d146 28 API calls 53526->53538 53527 41ce9c 53527->53359 53532 41cfe8 53530->53532 53531 41d01a 53531->53526 53532->53531 53533 41d01e 53532->53533 53536 41d002 53532->53536 53550 402725 22 API calls 53533->53550 53540 41d051 53536->53540 53538->53527 53539->53527 53541 41d05b __EH_prolog 53540->53541 53551 402717 22 API calls 53541->53551 53543 41d06e 53552 41d15d 11 API calls 53543->53552 53545 41d094 53546 41d0cc 53545->53546 53553 402730 11 API calls 53545->53553 53546->53531 53548 41d0b3 53554 402712 11 API calls std::_Deallocate 53548->53554 53551->53543 53552->53545 53553->53548 53554->53546 53556 40b90c 53555->53556 53594 402252 53556->53594 53558 40b917 53598 40b92c 53558->53598 53560 40b926 53560->53394 53562 41323c 53561->53562 53571 41326b 53561->53571 53630 411cf2 53562->53630 53563 41327a 53620 40417e 53563->53620 53568 401fd8 11 API calls 53570 412f28 53568->53570 53573 401f09 53570->53573 53571->53563 53626 10001c5b 53571->53626 53574 402252 11 API calls 53573->53574 53575 401f12 53574->53575 53575->53403 53577 41bd2b 53576->53577 53578 4020b7 28 API calls 53577->53578 53579 4130b1 53578->53579 53579->53410 53585 402eb0 53580->53585 53581 402ef2 53582 401fb0 28 API calls 53581->53582 53583 402ef0 53582->53583 53584 402055 11 API calls 53583->53584 53586 402f09 53584->53586 53585->53581 53587 402ee7 53585->53587 53586->53442 53770 403365 28 API calls 53587->53770 53771 441e81 53589->53771 53592 402093 28 API calls 53593 412f7a 53592->53593 53593->53415 53595 4022ac 53594->53595 53596 40225c 53594->53596 53595->53558 53596->53595 53605 402779 11 API calls std::_Deallocate 53596->53605 53599 40b966 53598->53599 53600 40b938 53598->53600 53617 4028a4 22 API calls 53599->53617 53606 4027e6 53600->53606 53603 40b942 53603->53560 53605->53595 53607 4027ef 53606->53607 53608 402851 53607->53608 53609 4027f9 53607->53609 53619 4028a4 22 API calls 53608->53619 53612 402802 53609->53612 53614 402815 53609->53614 53618 402aea 28 API calls __EH_prolog 53612->53618 53615 402813 53614->53615 53616 402252 11 API calls 53614->53616 53615->53603 53616->53615 53618->53615 53621 404186 53620->53621 53622 402252 11 API calls 53621->53622 53623 404191 53622->53623 53634 4041bc 53623->53634 53627 10001c6b ___scrt_fastfail 53626->53627 53655 100012ee 53627->53655 53629 10001c87 53629->53563 53697 411cfe 53630->53697 53633 411f67 22 API calls ___std_exception_copy 53633->53571 53635 4041c8 53634->53635 53638 4041d9 53635->53638 53637 40419c 53637->53568 53639 4041e9 53638->53639 53640 404206 53639->53640 53641 4041ef 53639->53641 53642 4027e6 28 API calls 53640->53642 53645 404267 53641->53645 53644 404204 53642->53644 53644->53637 53646 402888 22 API calls 53645->53646 53647 40427b 53646->53647 53648 404290 53647->53648 53649 4042a5 53647->53649 53651 4042df 22 API calls 53648->53651 53650 4027e6 28 API calls 53649->53650 53654 4042a3 53650->53654 53652 404299 53651->53652 53653 402c48 22 API calls 53652->53653 53653->53654 53654->53644 53656 10001324 ___scrt_fastfail 53655->53656 53657 100013b7 GetEnvironmentVariableW 53656->53657 53681 100010f1 53657->53681 53660 100010f1 57 API calls 53661 10001465 53660->53661 53662 100010f1 57 API calls 53661->53662 53663 10001479 53662->53663 53664 100010f1 57 API calls 53663->53664 53665 1000148d 53664->53665 53666 100010f1 57 API calls 53665->53666 53667 100014a1 53666->53667 53668 100010f1 57 API calls 53667->53668 53669 100014b5 lstrlenW 53668->53669 53670 100014d2 53669->53670 53671 100014d9 lstrlenW 53669->53671 53670->53629 53672 100010f1 57 API calls 53671->53672 53673 10001501 lstrlenW lstrcatW 53672->53673 53674 100010f1 57 API calls 53673->53674 53675 10001539 lstrlenW lstrcatW 53674->53675 53676 100010f1 57 API calls 53675->53676 53677 1000156b lstrlenW lstrcatW 53676->53677 53678 100010f1 57 API calls 53677->53678 53679 1000159d lstrlenW lstrcatW 53678->53679 53680 100010f1 57 API calls 53679->53680 53680->53670 53682 10001118 ___scrt_fastfail 53681->53682 53683 10001129 lstrlenW 53682->53683 53694 10002c40 53683->53694 53686 10001177 lstrlenW FindFirstFileW 53688 100011a0 53686->53688 53689 100011e1 53686->53689 53687 10001168 lstrlenW 53687->53686 53690 100011c7 FindNextFileW 53688->53690 53691 100011aa 53688->53691 53689->53660 53690->53688 53693 100011da FindClose 53690->53693 53691->53690 53696 10001000 57 API calls ___scrt_fastfail 53691->53696 53693->53689 53695 10001148 lstrcatW lstrlenW 53694->53695 53695->53686 53695->53687 53696->53691 53732 41179c 53697->53732 53699 411d1c 53700 411d32 SetLastError 53699->53700 53701 41179c SetLastError 53699->53701 53708 411cfa 53699->53708 53700->53708 53702 411d4f 53701->53702 53702->53700 53704 411d71 GetNativeSystemInfo 53702->53704 53702->53708 53705 411db7 53704->53705 53717 411dc4 SetLastError 53705->53717 53735 411ca3 VirtualAlloc 53705->53735 53708->53633 53709 411de7 53710 411e0c GetProcessHeap HeapAlloc 53709->53710 53761 411ca3 VirtualAlloc 53709->53761 53712 411e23 53710->53712 53713 411e35 53710->53713 53762 411cba VirtualFree 53712->53762 53714 41179c SetLastError 53713->53714 53719 411e7e 53714->53719 53715 411dff 53715->53710 53715->53717 53717->53708 53718 411f30 53763 412077 GetProcessHeap HeapFree 53718->53763 53719->53718 53736 411ca3 VirtualAlloc 53719->53736 53722 411e97 ctype 53737 4117af 53722->53737 53724 411ec3 53724->53718 53741 411b5f 53724->53741 53728 411efb 53728->53708 53728->53718 53757 1000220c 53728->53757 53729 411f21 53729->53708 53730 411f25 SetLastError 53729->53730 53730->53718 53733 4117a0 SetLastError 53732->53733 53734 4117ab 53732->53734 53733->53699 53734->53699 53735->53709 53736->53722 53738 411885 53737->53738 53740 4117db ctype ___scrt_get_show_window_mode 53737->53740 53738->53724 53739 41179c SetLastError 53739->53740 53740->53738 53740->53739 53742 411b80 IsBadReadPtr 53741->53742 53743 411c6a 53741->53743 53742->53743 53750 411b9a 53742->53750 53743->53718 53751 41194f 53743->53751 53746 411c82 SetLastError 53746->53743 53747 411c6c SetLastError 53747->53743 53748 411c4f IsBadReadPtr 53748->53743 53748->53750 53750->53743 53750->53746 53750->53747 53750->53748 53764 440f0d 22 API calls 4 library calls 53750->53764 53755 411975 53751->53755 53752 411a5e 53753 4118b2 VirtualProtect 53752->53753 53754 411a70 53753->53754 53754->53728 53755->53752 53755->53754 53765 4118b2 53755->53765 53758 10002215 53757->53758 53759 1000221a dllmain_dispatch 53757->53759 53769 100022b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 53758->53769 53759->53729 53761->53715 53762->53717 53763->53708 53764->53750 53766 4118c3 53765->53766 53768 4118bb 53765->53768 53767 411936 VirtualProtect 53766->53767 53766->53768 53767->53768 53768->53755 53769->53759 53770->53583 53772 441e8d 53771->53772 53775 441c7d 53772->53775 53774 41bbb2 53774->53592 53776 441c94 53775->53776 53778 441ccb pre_c_initialization 53776->53778 53779 4405dd 20 API calls _Atexit 53776->53779 53778->53774 53779->53778 53780->53511 53781->53509 53782->53332 53784 4020f6 28 API calls 53783->53784 53785 415b0c SetEvent 53784->53785 53786 415b21 53785->53786 53787 4041a2 28 API calls 53786->53787 53788 415b3b 53787->53788 53789 4020f6 28 API calls 53788->53789 53790 415b4b 53789->53790 53791 4020f6 28 API calls 53790->53791 53792 415b5d 53791->53792 53793 41be1b 28 API calls 53792->53793 53794 415b66 53793->53794 53796 415b86 GetTickCount 53794->53796 53797 415ce5 53794->53797 53861 415cd6 53794->53861 53795 401e8d 11 API calls 53798 417092 53795->53798 53799 41bb8e 28 API calls 53796->53799 53859 415cf9 53797->53859 53797->53861 53800 401fd8 11 API calls 53798->53800 53801 415b97 53799->53801 53803 41709e 53800->53803 53862 41bae6 GetLastInputInfo GetTickCount 53801->53862 53805 401fd8 11 API calls 53803->53805 53807 4170aa 53805->53807 53806 415ba3 53808 41bb8e 28 API calls 53806->53808 53809 415bae 53808->53809 53863 41ba96 53809->53863 53812 41bd1e 28 API calls 53813 415bca 53812->53813 53814 401e65 22 API calls 53813->53814 53815 415bd8 53814->53815 53816 402f31 28 API calls 53815->53816 53817 415be6 53816->53817 53818 402ea1 28 API calls 53817->53818 53819 415bf5 53818->53819 53820 402f10 28 API calls 53819->53820 53821 415c04 53820->53821 53822 402ea1 28 API calls 53821->53822 53823 415c13 53822->53823 53824 402f10 28 API calls 53823->53824 53825 415c1f 53824->53825 53826 402ea1 28 API calls 53825->53826 53827 415c29 53826->53827 53828 404aa1 61 API calls 53827->53828 53829 415c38 53828->53829 53830 401fd8 11 API calls 53829->53830 53831 415c41 53830->53831 53832 401fd8 11 API calls 53831->53832 53833 415c4d 53832->53833 53834 401fd8 11 API calls 53833->53834 53835 415c59 53834->53835 53836 401fd8 11 API calls 53835->53836 53837 415c65 53836->53837 53838 401fd8 11 API calls 53837->53838 53839 415c71 53838->53839 53840 401fd8 11 API calls 53839->53840 53841 415c7d 53840->53841 53842 401f09 11 API calls 53841->53842 53843 415c86 53842->53843 53844 401fd8 11 API calls 53843->53844 53845 415c8f 53844->53845 53846 401fd8 11 API calls 53845->53846 53847 415c98 53846->53847 53848 401e65 22 API calls 53847->53848 53849 415ca3 53848->53849 53868 43baac 53849->53868 53852 415cb5 53855 415cc3 53852->53855 53856 415cce 53852->53856 53853 415cdb 53854 401e65 22 API calls 53853->53854 53854->53797 53872 404ff4 82 API calls 53855->53872 53873 404f51 53856->53873 53888 4050e4 84 API calls 53859->53888 53860 415cc9 53860->53861 53861->53795 53862->53806 53889 436e90 53863->53889 53866 40417e 28 API calls 53867 415bbc 53866->53867 53867->53812 53869 43bac5 _strftime 53868->53869 53891 43ae03 53869->53891 53871 415cb0 53871->53852 53871->53853 53872->53860 53874 404f65 53873->53874 53875 404fea 53873->53875 53876 404f6e 53874->53876 53877 404fc0 CreateEventA CreateThread 53874->53877 53878 404f7d GetLocalTime 53874->53878 53875->53861 53876->53877 53877->53875 53920 405150 53877->53920 53879 41bb8e 28 API calls 53878->53879 53880 404f91 53879->53880 53919 4052fd 28 API calls 53880->53919 53888->53860 53890 41bab5 GetForegroundWindow GetWindowTextW 53889->53890 53890->53866 53907 43ba0a 53891->53907 53893 43ae15 53894 43ae50 53893->53894 53896 43ae2a 53893->53896 53906 43ae2f pre_c_initialization 53893->53906 53913 43a7b7 36 API calls 2 library calls 53894->53913 53912 4405dd 20 API calls _Atexit 53896->53912 53899 43ae5c 53900 43ae8b 53899->53900 53914 43ba4f 40 API calls __Toupper 53899->53914 53903 43aef7 53900->53903 53915 43b9b6 20 API calls 2 library calls 53900->53915 53916 43b9b6 20 API calls 2 library calls 53903->53916 53904 43afbe _strftime 53904->53906 53917 4405dd 20 API calls _Atexit 53904->53917 53906->53871 53908 43ba22 53907->53908 53909 43ba0f 53907->53909 53908->53893 53918 4405dd 20 API calls _Atexit 53909->53918 53911 43ba14 pre_c_initialization 53911->53893 53912->53906 53913->53899 53914->53899 53915->53903 53916->53904 53917->53906 53918->53911 53923 40515c 102 API calls 53920->53923 53922 405159 53923->53922 53924->53275 53925->53280 53926->53282 53927 434887 53928 434893 CallCatchBlock 53927->53928 53954 434596 53928->53954 53930 43489a 53932 4348c3 53930->53932 54252 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 53930->54252 53936 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 53932->53936 54253 444251 5 API calls TranslatorGuardHandler 53932->54253 53934 4348dc 53937 4348e2 CallCatchBlock 53934->53937 54254 4441f5 5 API calls TranslatorGuardHandler 53934->54254 53938 434962 53936->53938 54255 4433e7 36 API calls 5 library calls 53936->54255 53965 434b14 53938->53965 53947 434984 53948 43498e 53947->53948 54257 44341f 28 API calls _Atexit 53947->54257 53950 434997 53948->53950 54258 4433c2 28 API calls _Atexit 53948->54258 54259 43470d 13 API calls 2 library calls 53950->54259 53953 43499f 53953->53937 53955 43459f 53954->53955 54260 434c52 IsProcessorFeaturePresent 53955->54260 53957 4345ab 54261 438f31 10 API calls 4 library calls 53957->54261 53959 4345b0 53964 4345b4 53959->53964 54262 4440bf 53959->54262 53962 4345cb 53962->53930 53964->53930 53966 436e90 ___scrt_get_show_window_mode 53965->53966 53967 434b27 GetStartupInfoW 53966->53967 53968 434968 53967->53968 53969 4441a2 53968->53969 54339 44f059 53969->54339 53971 434971 53974 40e9c5 53971->53974 53972 4441ab 53972->53971 54343 446815 36 API calls 53972->54343 54345 41cb50 LoadLibraryA GetProcAddress 53974->54345 53976 40e9e1 GetModuleFileNameW 54350 40f3c3 53976->54350 53978 40e9fd 53979 4020f6 28 API calls 53978->53979 53980 40ea0c 53979->53980 53981 4020f6 28 API calls 53980->53981 53982 40ea1b 53981->53982 53983 41be1b 28 API calls 53982->53983 53984 40ea24 53983->53984 54365 40fb17 53984->54365 53986 40ea2d 53987 401e8d 11 API calls 53986->53987 53988 40ea36 53987->53988 53989 40ea93 53988->53989 53990 40ea49 53988->53990 53991 401e65 22 API calls 53989->53991 54559 40fbb3 118 API calls 53990->54559 53993 40eaa3 53991->53993 53997 401e65 22 API calls 53993->53997 53994 40ea5b 53995 401e65 22 API calls 53994->53995 53996 40ea67 53995->53996 54560 410f37 36 API calls __EH_prolog 53996->54560 53998 40eac2 53997->53998 53999 40531e 28 API calls 53998->53999 54001 40ead1 53999->54001 54003 406383 28 API calls 54001->54003 54002 40ea79 54561 40fb64 78 API calls 54002->54561 54005 40eadd 54003->54005 54007 401fe2 28 API calls 54005->54007 54006 40ea82 54562 40f3b0 71 API calls 54006->54562 54009 40eae9 54007->54009 54010 401fd8 11 API calls 54009->54010 54011 40eaf2 54010->54011 54013 401fd8 11 API calls 54011->54013 54012 401fd8 11 API calls 54014 40eefb 54012->54014 54015 40eafb 54013->54015 54256 4432f6 GetModuleHandleW 54014->54256 54016 401e65 22 API calls 54015->54016 54017 40eb04 54016->54017 54018 401fc0 28 API calls 54017->54018 54019 40eb0f 54018->54019 54020 401e65 22 API calls 54019->54020 54021 40eb28 54020->54021 54022 401e65 22 API calls 54021->54022 54023 40eb43 54022->54023 54024 40ebae 54023->54024 54563 406c1e 54023->54563 54025 401e65 22 API calls 54024->54025 54031 40ebbb 54025->54031 54027 40eb70 54028 401fe2 28 API calls 54027->54028 54029 40eb7c 54028->54029 54032 401fd8 11 API calls 54029->54032 54030 40ec02 54369 40d069 54030->54369 54031->54030 54037 413549 3 API calls 54031->54037 54034 40eb85 54032->54034 54568 413549 RegOpenKeyExA 54034->54568 54035 40ec08 54036 40ea8b 54035->54036 54372 41b2c3 54035->54372 54036->54012 54043 40ebe6 54037->54043 54041 40f34f 54661 4139a9 30 API calls 54041->54661 54042 40ec23 54044 40ec76 54042->54044 54389 407716 54042->54389 54043->54030 54571 4139a9 30 API calls 54043->54571 54046 401e65 22 API calls 54044->54046 54049 40ec7f 54046->54049 54058 40ec90 54049->54058 54059 40ec8b 54049->54059 54051 40f365 54662 412475 65 API calls ___scrt_get_show_window_mode 54051->54662 54052 40ec42 54572 407738 30 API calls 54052->54572 54053 40ec4c 54056 401e65 22 API calls 54053->54056 54068 40ec55 54056->54068 54057 40f36f 54061 41bc5e 28 API calls 54057->54061 54064 401e65 22 API calls 54058->54064 54575 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 54059->54575 54060 40ec47 54573 407260 98 API calls 54060->54573 54065 40f37f 54061->54065 54066 40ec99 54064->54066 54461 413a23 RegOpenKeyExW 54065->54461 54393 41bc5e 54066->54393 54068->54044 54072 40ec71 54068->54072 54069 40eca4 54397 401f13 54069->54397 54574 407260 98 API calls 54072->54574 54074 401f09 11 API calls 54077 40f39c 54074->54077 54079 401f09 11 API calls 54077->54079 54078 401f09 11 API calls 54080 40ecb8 54078->54080 54082 40f3a5 54079->54082 54081 401e65 22 API calls 54080->54081 54083 40ecc1 54081->54083 54464 40dd42 54082->54464 54087 401e65 22 API calls 54083->54087 54089 40ecdb 54087->54089 54088 40f3af 54090 401e65 22 API calls 54089->54090 54091 40ecf5 54090->54091 54092 401e65 22 API calls 54091->54092 54094 40ed0e 54092->54094 54093 40ed7b 54096 40ed8a 54093->54096 54101 40ef06 ___scrt_get_show_window_mode 54093->54101 54094->54093 54095 401e65 22 API calls 54094->54095 54100 40ed23 _wcslen 54095->54100 54097 40ed93 54096->54097 54125 40ee0f ___scrt_get_show_window_mode 54096->54125 54098 401e65 22 API calls 54097->54098 54099 40ed9c 54098->54099 54102 401e65 22 API calls 54099->54102 54100->54093 54103 401e65 22 API calls 54100->54103 54636 4136f8 RegOpenKeyExA 54101->54636 54104 40edae 54102->54104 54105 40ed3e 54103->54105 54107 401e65 22 API calls 54104->54107 54109 401e65 22 API calls 54105->54109 54108 40edc0 54107->54108 54112 401e65 22 API calls 54108->54112 54110 40ed53 54109->54110 54576 40da34 54110->54576 54111 40ef51 54113 401e65 22 API calls 54111->54113 54115 40ede9 54112->54115 54116 40ef76 54113->54116 54120 401e65 22 API calls 54115->54120 54121 402093 28 API calls 54116->54121 54118 401f13 28 API calls 54119 40ed72 54118->54119 54122 401f09 11 API calls 54119->54122 54123 40edfa 54120->54123 54124 40ef88 54121->54124 54122->54093 54634 40cdf9 46 API calls _wcslen 54123->54634 54416 41376f RegCreateKeyA 54124->54416 54406 413947 54125->54406 54130 40eea3 ctype 54134 401e65 22 API calls 54130->54134 54131 40ee0a 54131->54125 54132 401e65 22 API calls 54133 40efaa 54132->54133 54136 43baac _strftime 40 API calls 54133->54136 54135 40eeba 54134->54135 54135->54111 54139 40eece 54135->54139 54137 40efb7 54136->54137 54138 40efc1 54137->54138 54141 40efe4 54137->54141 54639 41cd9b 88 API calls ___scrt_get_show_window_mode 54138->54639 54140 401e65 22 API calls 54139->54140 54142 40eed7 54140->54142 54144 402093 28 API calls 54141->54144 54145 41bc5e 28 API calls 54142->54145 54147 40eff9 54144->54147 54148 40eee3 54145->54148 54146 40efc8 CreateThread 54146->54141 55112 41d45d 10 API calls 54146->55112 54149 402093 28 API calls 54147->54149 54635 40f474 114 API calls 54148->54635 54151 40f008 54149->54151 54153 41b4ef 80 API calls 54151->54153 54152 40eee8 54152->54111 54154 40eeef 54152->54154 54155 40f00d 54153->54155 54154->54036 54156 401e65 22 API calls 54155->54156 54157 40f019 54156->54157 54158 401e65 22 API calls 54157->54158 54159 40f02b 54158->54159 54160 401e65 22 API calls 54159->54160 54161 40f04b 54160->54161 54162 43baac _strftime 40 API calls 54161->54162 54163 40f058 54162->54163 54164 401e65 22 API calls 54163->54164 54165 40f063 54164->54165 54166 401e65 22 API calls 54165->54166 54167 40f074 54166->54167 54168 401e65 22 API calls 54167->54168 54169 40f089 54168->54169 54170 401e65 22 API calls 54169->54170 54171 40f09a 54170->54171 54172 40f0a1 StrToIntA 54171->54172 54422 409de4 54172->54422 54175 401e65 22 API calls 54176 40f0bc 54175->54176 54177 40f101 54176->54177 54178 40f0c8 54176->54178 54180 401e65 22 API calls 54177->54180 54640 4344ea 54178->54640 54182 40f111 54180->54182 54186 40f159 54182->54186 54187 40f11d 54182->54187 54183 401e65 22 API calls 54184 40f0e4 54183->54184 54185 40f0eb CreateThread 54184->54185 54185->54177 55115 419fb4 113 API calls 2 library calls 54185->55115 54188 401e65 22 API calls 54186->54188 54189 4344ea new 22 API calls 54187->54189 54190 40f162 54188->54190 54191 40f126 54189->54191 54194 40f1cc 54190->54194 54195 40f16e 54190->54195 54192 401e65 22 API calls 54191->54192 54193 40f138 54192->54193 54198 40f13f CreateThread 54193->54198 54196 401e65 22 API calls 54194->54196 54197 401e65 22 API calls 54195->54197 54199 40f1d5 54196->54199 54200 40f17e 54197->54200 54198->54186 55114 419fb4 113 API calls 2 library calls 54198->55114 54201 40f1e1 54199->54201 54202 40f21a 54199->54202 54203 401e65 22 API calls 54200->54203 54205 401e65 22 API calls 54201->54205 54447 41b60d GetComputerNameExW GetUserNameW 54202->54447 54206 40f193 54203->54206 54208 40f1ea 54205->54208 54647 40d9e8 54206->54647 54213 401e65 22 API calls 54208->54213 54209 401f13 28 API calls 54210 40f22e 54209->54210 54212 401f09 11 API calls 54210->54212 54215 40f237 54212->54215 54216 40f1ff 54213->54216 54219 40f240 SetProcessDEPPolicy 54215->54219 54220 40f243 CreateThread 54215->54220 54224 43baac _strftime 40 API calls 54216->54224 54217 401f13 28 API calls 54218 40f1b2 54217->54218 54221 401f09 11 API calls 54218->54221 54219->54220 54222 40f264 54220->54222 54223 40f258 CreateThread 54220->54223 55084 40f7a7 54220->55084 54225 40f1bb CreateThread 54221->54225 54226 40f279 54222->54226 54227 40f26d CreateThread 54222->54227 54223->54222 55116 4120f7 146 API calls 54223->55116 54228 40f20c 54224->54228 54225->54194 55111 401be9 50 API calls _strftime 54225->55111 54229 40f2cc 54226->54229 54231 402093 28 API calls 54226->54231 54227->54226 55113 4126db 38 API calls ___scrt_get_show_window_mode 54227->55113 54658 40c162 7 API calls 54228->54658 54458 4134ff RegOpenKeyExA 54229->54458 54232 40f29c 54231->54232 54659 4052fd 28 API calls 54232->54659 54237 40f2ed 54239 41bc5e 28 API calls 54237->54239 54241 40f2fd 54239->54241 54660 41361b 31 API calls 54241->54660 54246 40f313 54247 401f09 11 API calls 54246->54247 54250 40f31e 54247->54250 54248 40f346 DeleteFileW 54249 40f34d 54248->54249 54248->54250 54249->54057 54250->54057 54250->54248 54251 40f334 Sleep 54250->54251 54251->54250 54252->53930 54253->53934 54254->53936 54255->53938 54256->53947 54257->53948 54258->53950 54259->53953 54260->53957 54261->53959 54266 44fb68 54262->54266 54265 438f5a 8 API calls 3 library calls 54265->53964 54268 44fb81 54266->54268 54270 44fb85 54266->54270 54290 434fcb 54268->54290 54269 4345bd 54269->53962 54269->54265 54270->54268 54273 449bf0 54270->54273 54278 449ca6 54270->54278 54275 449bf7 54273->54275 54274 449c3a GetStdHandle 54274->54275 54275->54274 54276 449ca2 54275->54276 54277 449c4d GetFileType 54275->54277 54276->54270 54277->54275 54279 449cb2 CallCatchBlock 54278->54279 54297 445888 EnterCriticalSection 54279->54297 54281 449cb9 54298 450183 54281->54298 54283 449cc8 54289 449cd7 54283->54289 54309 449b3a 23 API calls 54283->54309 54286 449cd2 54288 449bf0 2 API calls 54286->54288 54287 449ce8 CallCatchBlock 54287->54270 54288->54289 54310 449cf3 LeaveCriticalSection std::_Lockit::~_Lockit 54289->54310 54291 434fd6 IsProcessorFeaturePresent 54290->54291 54292 434fd4 54290->54292 54294 435018 54291->54294 54292->54269 54338 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54294->54338 54296 4350fb 54296->54269 54297->54281 54299 45018f CallCatchBlock 54298->54299 54300 4501b3 54299->54300 54301 45019c 54299->54301 54311 445888 EnterCriticalSection 54300->54311 54319 4405dd 20 API calls _Atexit 54301->54319 54304 4501bf 54308 4501eb 54304->54308 54312 4500d4 54304->54312 54306 4501a1 pre_c_initialization CallCatchBlock 54306->54283 54320 450212 LeaveCriticalSection std::_Lockit::~_Lockit 54308->54320 54309->54286 54310->54287 54311->54304 54321 445af3 54312->54321 54314 4500f3 54329 446782 54314->54329 54315 4500e6 54315->54314 54328 448a84 11 API calls 2 library calls 54315->54328 54317 450145 54317->54304 54319->54306 54320->54306 54324 445b00 ___crtLCMapStringA 54321->54324 54322 445b40 54336 4405dd 20 API calls _Atexit 54322->54336 54323 445b2b RtlAllocateHeap 54323->54324 54325 445b3e 54323->54325 54324->54322 54324->54323 54335 442f80 7 API calls 2 library calls 54324->54335 54325->54315 54328->54315 54330 44678d RtlFreeHeap 54329->54330 54334 4467b6 __dosmaperr 54329->54334 54331 4467a2 54330->54331 54330->54334 54337 4405dd 20 API calls _Atexit 54331->54337 54333 4467a8 GetLastError 54333->54334 54334->54317 54335->54324 54336->54325 54337->54333 54338->54296 54340 44f06b 54339->54340 54341 44f062 54339->54341 54340->53972 54344 44ef58 49 API calls 5 library calls 54341->54344 54343->53972 54344->54340 54346 41cb8f LoadLibraryA GetProcAddress 54345->54346 54347 41cb7f GetModuleHandleA GetProcAddress 54345->54347 54348 41cbb8 44 API calls 54346->54348 54349 41cba8 LoadLibraryA GetProcAddress 54346->54349 54347->54346 54348->53976 54349->54348 54663 41b4a8 FindResourceA 54350->54663 54353 43bd51 ___std_exception_copy 21 API calls 54354 40f3ed ctype 54353->54354 54355 4020b7 28 API calls 54354->54355 54356 40f408 54355->54356 54357 401fe2 28 API calls 54356->54357 54358 40f413 54357->54358 54359 401fd8 11 API calls 54358->54359 54360 40f41c 54359->54360 54361 43bd51 ___std_exception_copy 21 API calls 54360->54361 54362 40f42d ctype 54361->54362 54666 406dd8 54362->54666 54364 40f460 54364->53978 54366 40fb23 54365->54366 54368 40fb2a 54365->54368 54669 402163 11 API calls 54366->54669 54368->53986 54670 401fab 54369->54670 54371 40d073 CreateMutexA GetLastError 54371->54035 54671 41bfb7 54372->54671 54377 401fe2 28 API calls 54378 41b2ff 54377->54378 54379 401fd8 11 API calls 54378->54379 54381 41b307 54379->54381 54380 41b35d 54380->54042 54381->54380 54382 4135a6 31 API calls 54381->54382 54383 41b330 54382->54383 54384 41b33b StrToIntA 54383->54384 54385 41b352 54384->54385 54386 41b349 54384->54386 54388 401fd8 11 API calls 54385->54388 54680 41cf69 22 API calls 54386->54680 54388->54380 54390 40772a 54389->54390 54391 413549 3 API calls 54390->54391 54392 407731 54391->54392 54392->54052 54392->54053 54394 41bc72 54393->54394 54395 40b904 28 API calls 54394->54395 54396 41bc7a 54395->54396 54396->54069 54398 401f22 54397->54398 54405 401f6a 54397->54405 54399 402252 11 API calls 54398->54399 54400 401f2b 54399->54400 54401 401f6d 54400->54401 54402 401f46 54400->54402 54682 402336 54401->54682 54681 40305c 28 API calls 54402->54681 54405->54078 54407 413965 54406->54407 54408 406dd8 28 API calls 54407->54408 54409 41397a 54408->54409 54410 4020f6 28 API calls 54409->54410 54411 41398a 54410->54411 54412 41376f 14 API calls 54411->54412 54413 413994 54412->54413 54414 401fd8 11 API calls 54413->54414 54415 4139a1 54414->54415 54415->54130 54417 413788 54416->54417 54418 4137bf 54416->54418 54421 41379a RegSetValueExA RegCloseKey 54417->54421 54419 401fd8 11 API calls 54418->54419 54420 40ef9e 54419->54420 54420->54132 54421->54418 54423 409e02 _wcslen 54422->54423 54424 409e24 54423->54424 54425 409e0d 54423->54425 54426 40da34 32 API calls 54424->54426 54427 40da34 32 API calls 54425->54427 54428 409e2c 54426->54428 54429 409e15 54427->54429 54430 401f13 28 API calls 54428->54430 54431 401f13 28 API calls 54429->54431 54432 409e3a 54430->54432 54446 409e1f 54431->54446 54433 401f09 11 API calls 54432->54433 54435 409e42 54433->54435 54434 401f09 11 API calls 54436 409e79 54434->54436 54701 40915b 28 API calls 54435->54701 54686 40a109 54436->54686 54439 409e54 54702 403014 54439->54702 54443 401f13 28 API calls 54444 409e69 54443->54444 54445 401f09 11 API calls 54444->54445 54445->54446 54446->54434 54448 40417e 28 API calls 54447->54448 54449 41b65c 54448->54449 54902 4042fc 54449->54902 54452 403014 28 API calls 54453 41b672 54452->54453 54454 401f09 11 API calls 54453->54454 54455 41b67b 54454->54455 54456 401f09 11 API calls 54455->54456 54457 40f223 54456->54457 54457->54209 54459 413520 RegQueryValueExA RegCloseKey 54458->54459 54460 40f2e4 54458->54460 54459->54460 54460->54082 54460->54237 54462 40f392 54461->54462 54463 413a3f RegDeleteValueW 54461->54463 54462->54074 54463->54462 54465 40dd5b 54464->54465 54466 4134ff 3 API calls 54465->54466 54467 40dd62 54466->54467 54468 40dd81 54467->54468 54977 401707 54467->54977 54472 414f2a 54468->54472 54470 40dd6f 54980 413877 RegCreateKeyA 54470->54980 54473 4020df 11 API calls 54472->54473 54474 414f3e 54473->54474 54994 41b8b3 54474->54994 54477 4020df 11 API calls 54478 414f54 54477->54478 54479 401e65 22 API calls 54478->54479 54480 414f62 54479->54480 54481 43baac _strftime 40 API calls 54480->54481 54482 414f6f 54481->54482 54483 414f81 54482->54483 54484 414f74 Sleep 54482->54484 54485 402093 28 API calls 54483->54485 54484->54483 54486 414f90 54485->54486 54487 401e65 22 API calls 54486->54487 54488 414f99 54487->54488 54489 4020f6 28 API calls 54488->54489 54490 414fa4 54489->54490 54491 41be1b 28 API calls 54490->54491 54492 414fac 54491->54492 54998 40489e WSAStartup 54492->54998 54494 414fb6 54495 401e65 22 API calls 54494->54495 54496 414fbf 54495->54496 54497 401e65 22 API calls 54496->54497 54523 41503e 54496->54523 54498 414fd8 54497->54498 54499 401e65 22 API calls 54498->54499 54500 414fe9 54499->54500 54502 401e65 22 API calls 54500->54502 54501 41be1b 28 API calls 54501->54523 54503 414ffa 54502->54503 54505 401e65 22 API calls 54503->54505 54504 406c1e 28 API calls 54504->54523 54506 41500b 54505->54506 54507 401e65 22 API calls 54506->54507 54509 41501c 54507->54509 54508 401fe2 28 API calls 54508->54523 54510 401e65 22 API calls 54509->54510 54511 41502e 54510->54511 55024 40473d 89 API calls 54511->55024 54512 401e65 22 API calls 54512->54523 54514 402f10 28 API calls 54514->54523 54515 41b4ef 80 API calls 54515->54523 54517 41518c WSAGetLastError 55025 41cae1 30 API calls 54517->55025 54519 40482d 3 API calls 54519->54523 54521 404f51 105 API calls 54521->54523 54522 402093 28 API calls 54522->54523 54523->54501 54523->54504 54523->54508 54523->54512 54523->54514 54523->54515 54523->54517 54523->54519 54523->54521 54523->54522 54524 4048c8 97 API calls 54523->54524 54525 404e26 99 API calls 54523->54525 54526 40531e 28 API calls 54523->54526 54527 401e8d 11 API calls 54523->54527 54529 406383 28 API calls 54523->54529 54530 415a33 54523->54530 54535 40905c 28 API calls 54523->54535 54536 441e81 20 API calls 54523->54536 54537 4020f6 28 API calls 54523->54537 54538 4136f8 3 API calls 54523->54538 54539 4135a6 31 API calls 54523->54539 54540 40417e 28 API calls 54523->54540 54543 401e65 22 API calls 54523->54543 54547 41bb8e 28 API calls 54523->54547 54548 41ba96 30 API calls 54523->54548 54549 41bd1e 28 API calls 54523->54549 54551 402f31 28 API calls 54523->54551 54552 402ea1 28 API calls 54523->54552 54553 404aa1 61 API calls 54523->54553 54554 401fd8 11 API calls 54523->54554 54555 404c10 270 API calls 54523->54555 54557 415a71 CreateThread 54523->54557 54558 401f09 11 API calls 54523->54558 54999 414ee9 54523->54999 55005 41b7e0 54523->55005 55008 4145bd 54523->55008 55011 40dd89 54523->55011 55017 41bc42 54523->55017 55020 41bae6 GetLastInputInfo GetTickCount 54523->55020 55021 40f8d1 GetLocaleInfoA 54523->55021 55026 4052fd 28 API calls 54523->55026 54524->54523 54525->54523 54526->54523 54527->54523 54528 401e65 22 API calls 54528->54530 54529->54523 54530->54528 54531 43baac _strftime 40 API calls 54530->54531 55027 40b051 85 API calls 54530->55027 54532 415acf Sleep 54531->54532 54532->54523 54535->54523 54536->54523 54537->54523 54538->54523 54539->54523 54540->54523 54544 415439 GetTickCount 54543->54544 54545 41bb8e 28 API calls 54544->54545 54545->54523 54547->54523 54548->54523 54549->54523 54551->54523 54552->54523 54553->54523 54554->54523 54555->54523 54557->54523 55060 41ad17 105 API calls 54557->55060 54558->54523 54559->53994 54560->54002 54561->54006 54564 4020df 11 API calls 54563->54564 54565 406c2a 54564->54565 54566 4032a0 28 API calls 54565->54566 54567 406c47 54566->54567 54567->54027 54569 40eba4 54568->54569 54570 413573 RegQueryValueExA RegCloseKey 54568->54570 54569->54024 54569->54041 54570->54569 54571->54030 54572->54060 54573->54053 54574->54044 54575->54058 54577 401f86 11 API calls 54576->54577 54578 40da50 54577->54578 54579 40da70 54578->54579 54580 40daa5 54578->54580 54582 40da66 54578->54582 55076 41b5b4 29 API calls 54579->55076 54583 41bfb7 2 API calls 54580->54583 54581 40db99 GetLongPathNameW 54585 40417e 28 API calls 54581->54585 54582->54581 54586 40daaa 54583->54586 54588 40dbae 54585->54588 54589 40db00 54586->54589 54590 40daae 54586->54590 54587 40da79 54591 401f13 28 API calls 54587->54591 54593 40417e 28 API calls 54588->54593 54594 40417e 28 API calls 54589->54594 54595 40417e 28 API calls 54590->54595 54592 40da83 54591->54592 54599 401f09 11 API calls 54592->54599 54596 40dbbd 54593->54596 54597 40db0e 54594->54597 54598 40dabc 54595->54598 55061 40ddd1 54596->55061 54603 40417e 28 API calls 54597->54603 54604 40417e 28 API calls 54598->54604 54599->54582 54606 40db24 54603->54606 54607 40dad2 54604->54607 54610 402fa5 28 API calls 54606->54610 54608 402fa5 28 API calls 54607->54608 54612 40dadd 54608->54612 54609 402fa5 28 API calls 54613 40dbe5 54609->54613 54611 40db2f 54610->54611 54614 401f13 28 API calls 54611->54614 54615 401f13 28 API calls 54612->54615 54616 401f09 11 API calls 54613->54616 54618 40db3a 54614->54618 54619 40dae8 54615->54619 54617 40dbef 54616->54617 54620 401f09 11 API calls 54617->54620 54621 401f09 11 API calls 54618->54621 54622 401f09 11 API calls 54619->54622 54623 40dbf8 54620->54623 54624 40db43 54621->54624 54625 40daf1 54622->54625 54626 401f09 11 API calls 54623->54626 54627 401f09 11 API calls 54624->54627 54628 401f09 11 API calls 54625->54628 54629 40dc01 54626->54629 54627->54592 54628->54592 54630 401f09 11 API calls 54629->54630 54631 40dc0a 54630->54631 54632 401f09 11 API calls 54631->54632 54633 40dc13 54632->54633 54633->54118 54634->54131 54635->54152 54637 41371e RegQueryValueExA RegCloseKey 54636->54637 54638 413742 54636->54638 54637->54638 54638->54111 54639->54146 54644 4344ef 54640->54644 54641 43bd51 ___std_exception_copy 21 API calls 54641->54644 54642 40f0d1 54642->54183 54644->54641 54644->54642 55081 442f80 7 API calls 2 library calls 54644->55081 55082 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54644->55082 55083 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 54644->55083 54648 402093 28 API calls 54647->54648 54649 40d9ff 54648->54649 54650 41bc5e 28 API calls 54649->54650 54651 40da0a 54650->54651 54652 40da34 32 API calls 54651->54652 54653 40da1b 54652->54653 54654 401f09 11 API calls 54653->54654 54655 40da24 54654->54655 54656 401fd8 11 API calls 54655->54656 54657 40da2c 54656->54657 54657->54217 54658->54202 54660->54246 54661->54051 54664 41b4c5 LoadResource LockResource SizeofResource 54663->54664 54665 40f3de 54663->54665 54664->54665 54665->54353 54667 4020b7 28 API calls 54666->54667 54668 406dec 54667->54668 54668->54364 54669->54368 54672 41bfc4 GetCurrentProcess IsWow64Process 54671->54672 54673 41b2d1 54671->54673 54672->54673 54674 41bfdb 54672->54674 54675 4135a6 RegOpenKeyExA 54673->54675 54674->54673 54676 4135d4 RegQueryValueExA RegCloseKey 54675->54676 54677 4135fe 54675->54677 54676->54677 54678 402093 28 API calls 54677->54678 54679 413613 54678->54679 54679->54377 54680->54385 54681->54405 54683 402347 54682->54683 54684 402252 11 API calls 54683->54684 54685 4023c7 54684->54685 54685->54405 54687 40a127 54686->54687 54688 413549 3 API calls 54687->54688 54689 40a12e 54688->54689 54690 40a142 54689->54690 54691 40a15c 54689->54691 54692 409e9b 54690->54692 54693 40a147 54690->54693 54707 40905c 54691->54707 54692->54175 54695 40905c 28 API calls 54693->54695 54697 40a155 54695->54697 54735 40a22d 29 API calls 54697->54735 54700 40a15a 54700->54692 54701->54439 54870 403222 54702->54870 54704 403022 54874 403262 54704->54874 54708 409072 54707->54708 54709 402252 11 API calls 54708->54709 54710 40908c 54709->54710 54711 404267 28 API calls 54710->54711 54712 40909a 54711->54712 54713 40a179 54712->54713 54736 40b8ec 54713->54736 54716 40a1a2 54718 402093 28 API calls 54716->54718 54717 40a1ca 54719 402093 28 API calls 54717->54719 54720 40a1ac 54718->54720 54721 40a1d5 54719->54721 54722 41bc5e 28 API calls 54720->54722 54723 402093 28 API calls 54721->54723 54724 40a1ba 54722->54724 54725 40a1e4 54723->54725 54740 40b164 31 API calls ___std_exception_copy 54724->54740 54727 41b4ef 80 API calls 54725->54727 54729 40a1e9 CreateThread 54727->54729 54728 40a1c1 54732 401fd8 11 API calls 54728->54732 54730 40a210 CreateThread 54729->54730 54731 40a204 CreateThread 54729->54731 54748 40a27d 54729->54748 54733 401f09 11 API calls 54730->54733 54745 40a289 54730->54745 54731->54730 54742 40a267 54731->54742 54732->54717 54734 40a224 54733->54734 54734->54692 54735->54700 54869 40a273 168 API calls 54735->54869 54737 40b8f5 54736->54737 54738 40a197 54736->54738 54741 40b96c 28 API calls 54737->54741 54738->54716 54738->54717 54740->54728 54741->54738 54751 40a2b8 54742->54751 54768 40acd6 54745->54768 54810 40a726 54748->54810 54752 40a2d1 SetWindowsHookExA 54751->54752 54753 40a333 GetMessageA 54751->54753 54752->54753 54756 40a2ed GetLastError 54752->54756 54754 40a345 TranslateMessage DispatchMessageA 54753->54754 54766 40a270 54753->54766 54754->54753 54754->54766 54757 41bb8e 28 API calls 54756->54757 54758 40a2fe 54757->54758 54767 4052fd 28 API calls 54758->54767 54796 40ace4 54768->54796 54769 40a292 54770 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 54772 40b904 28 API calls 54770->54772 54772->54796 54776 41bae6 GetLastInputInfo GetTickCount 54776->54796 54777 40ad84 GetWindowTextW 54777->54796 54779 401f09 11 API calls 54779->54796 54780 40aedc 54782 401f09 11 API calls 54780->54782 54781 40b8ec 28 API calls 54781->54796 54782->54769 54783 40ae49 Sleep 54783->54796 54784 441e81 20 API calls 54784->54796 54786 402093 28 API calls 54786->54796 54787 40add1 54790 40905c 28 API calls 54787->54790 54787->54796 54806 40b164 31 API calls ___std_exception_copy 54787->54806 54790->54787 54792 403014 28 API calls 54792->54796 54793 406383 28 API calls 54793->54796 54794 41bc5e 28 API calls 54794->54796 54795 40a636 12 API calls 54795->54796 54796->54769 54796->54770 54796->54776 54796->54777 54796->54779 54796->54780 54796->54781 54796->54783 54796->54784 54796->54786 54796->54787 54796->54792 54796->54793 54796->54794 54796->54795 54797 401fd8 11 API calls 54796->54797 54798 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 54796->54798 54799 401f86 54796->54799 54803 434770 23 API calls __onexit 54796->54803 54804 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 54796->54804 54805 409044 28 API calls 54796->54805 54807 40b97c 28 API calls 54796->54807 54808 40b748 40 API calls 2 library calls 54796->54808 54809 4052fd 28 API calls 54796->54809 54797->54796 54800 401f8e 54799->54800 54801 402252 11 API calls 54800->54801 54802 401f99 54801->54802 54802->54796 54803->54796 54804->54796 54805->54796 54806->54787 54807->54796 54808->54796 54811 40a73b Sleep 54810->54811 54831 40a675 54811->54831 54813 40a286 54814 40a78c GetFileAttributesW 54818 40a74d 54814->54818 54815 40a77b CreateDirectoryW 54815->54818 54816 40a7a3 SetFileAttributesW 54816->54818 54818->54811 54818->54813 54818->54814 54818->54815 54818->54816 54821 401e65 22 API calls 54818->54821 54828 40a7ee 54818->54828 54844 41c3f1 54818->54844 54819 40a81d PathFileExistsW 54819->54828 54820 4020df 11 API calls 54820->54828 54821->54818 54823 4020b7 28 API calls 54823->54828 54824 40a926 SetFileAttributesW 54824->54818 54825 406dd8 28 API calls 54825->54828 54826 401fe2 28 API calls 54826->54828 54828->54819 54828->54820 54828->54823 54828->54824 54828->54825 54828->54826 54829 401fd8 11 API calls 54828->54829 54830 401fd8 11 API calls 54828->54830 54854 41c485 CreateFileW 54828->54854 54862 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 54828->54862 54829->54828 54830->54818 54832 40a722 54831->54832 54835 40a68b 54831->54835 54832->54818 54833 40a6aa CreateFileW 54834 40a6b8 GetFileSize 54833->54834 54833->54835 54834->54835 54836 40a6ed FindCloseChangeNotification 54834->54836 54835->54833 54835->54836 54837 40a6ff 54835->54837 54838 40a6e2 Sleep 54835->54838 54839 40a6db 54835->54839 54836->54835 54837->54832 54841 40905c 28 API calls 54837->54841 54838->54836 54863 40b0dc 84 API calls 54839->54863 54842 40a71b 54841->54842 54843 40a179 124 API calls 54842->54843 54843->54832 54845 41c404 CreateFileW 54844->54845 54847 41c441 54845->54847 54848 41c43d 54845->54848 54849 41c461 WriteFile 54847->54849 54850 41c448 SetFilePointer 54847->54850 54848->54818 54851 41c474 54849->54851 54852 41c476 FindCloseChangeNotification 54849->54852 54850->54849 54853 41c458 CloseHandle 54850->54853 54851->54852 54852->54848 54853->54848 54855 41c4ab 54854->54855 54856 41c4af GetFileSize 54854->54856 54855->54828 54864 40244e 54856->54864 54858 41c4c3 54859 41c4d5 ReadFile 54858->54859 54860 41c4e2 54859->54860 54861 41c4e4 FindCloseChangeNotification 54859->54861 54860->54861 54861->54855 54862->54828 54863->54838 54865 402456 54864->54865 54867 402460 54865->54867 54868 402a51 28 API calls 54865->54868 54867->54858 54868->54867 54871 40322e 54870->54871 54880 403618 54871->54880 54873 40323b 54873->54704 54875 40326e 54874->54875 54876 402252 11 API calls 54875->54876 54877 403288 54876->54877 54878 402336 11 API calls 54877->54878 54879 403031 54878->54879 54879->54443 54881 403626 54880->54881 54882 403644 54881->54882 54883 40362c 54881->54883 54885 40365c 54882->54885 54886 40369e 54882->54886 54891 4036a6 54883->54891 54888 4027e6 28 API calls 54885->54888 54890 403642 54885->54890 54900 4028a4 22 API calls 54886->54900 54888->54890 54890->54873 54892 402888 22 API calls 54891->54892 54893 4036b9 54892->54893 54894 40372c 54893->54894 54895 4036de 54893->54895 54901 4028a4 22 API calls 54894->54901 54898 4027e6 28 API calls 54895->54898 54899 4036f0 54895->54899 54898->54899 54899->54890 54907 404353 54902->54907 54904 40430a 54905 403262 11 API calls 54904->54905 54906 404319 54905->54906 54906->54452 54908 40435f 54907->54908 54911 404371 54908->54911 54910 40436d 54910->54904 54912 40437f 54911->54912 54913 404385 54912->54913 54914 40439e 54912->54914 54975 4034e6 28 API calls 54913->54975 54915 402888 22 API calls 54914->54915 54916 4043a6 54915->54916 54918 404419 54916->54918 54919 4043bf 54916->54919 54976 4028a4 22 API calls 54918->54976 54921 4027e6 28 API calls 54919->54921 54930 40439c 54919->54930 54921->54930 54930->54910 54975->54930 54983 43aa9a 54977->54983 54981 4138b9 54980->54981 54982 41388f RegSetValueExA RegCloseKey 54980->54982 54981->54468 54982->54981 54986 43aa1b 54983->54986 54985 40170d 54985->54470 54987 43aa2a 54986->54987 54988 43aa3e 54986->54988 54992 4405dd 20 API calls _Atexit 54987->54992 54991 43aa2f pre_c_initialization __alldvrm 54988->54991 54993 448957 11 API calls 2 library calls 54988->54993 54991->54985 54992->54991 54993->54991 54997 41b8f9 ctype ___scrt_get_show_window_mode 54994->54997 54995 402093 28 API calls 54996 414f49 54995->54996 54996->54477 54997->54995 54998->54494 55000 414f02 WSASetLastError 54999->55000 55001 414ef8 54999->55001 55000->54523 55028 414d86 29 API calls ___std_exception_copy 55001->55028 55003 414efd 55003->55000 55029 41b7b6 GlobalMemoryStatusEx 55005->55029 55007 41b7f5 55007->54523 55030 414580 55008->55030 55012 40dda5 55011->55012 55013 4134ff 3 API calls 55012->55013 55015 40ddac 55013->55015 55014 40ddc4 55014->54523 55015->55014 55016 413549 3 API calls 55015->55016 55016->55014 55018 4020b7 28 API calls 55017->55018 55019 41bc57 55018->55019 55019->54523 55020->54523 55022 402093 28 API calls 55021->55022 55023 40f8f6 55022->55023 55023->54523 55024->54523 55025->54523 55027->54523 55028->55003 55029->55007 55033 414553 55030->55033 55034 414568 ___scrt_initialize_default_local_stdio_options 55033->55034 55037 43f79d 55034->55037 55040 43c4f0 55037->55040 55041 43c530 55040->55041 55042 43c518 55040->55042 55041->55042 55043 43c538 55041->55043 55055 4405dd 20 API calls _Atexit 55042->55055 55056 43a7b7 36 API calls 2 library calls 55043->55056 55046 43c548 55057 43cc76 20 API calls 2 library calls 55046->55057 55047 43c51d pre_c_initialization 55048 434fcb TranslatorGuardHandler 5 API calls 55047->55048 55050 414576 55048->55050 55050->54523 55051 43c5c0 55058 43d2e4 51 API calls 3 library calls 55051->55058 55054 43c5cb 55059 43cce0 20 API calls _free 55054->55059 55055->55047 55056->55046 55057->55051 55058->55054 55059->55047 55062 40ddd9 55061->55062 55063 402252 11 API calls 55062->55063 55064 40dde4 55063->55064 55065 4041d9 28 API calls 55064->55065 55066 40dbd0 55065->55066 55067 402fa5 55066->55067 55072 402fb4 55067->55072 55068 402ff6 55078 40323f 55068->55078 55070 402ff4 55071 403262 11 API calls 55070->55071 55073 40300d 55071->55073 55072->55068 55074 402feb 55072->55074 55073->54609 55077 403211 28 API calls 55074->55077 55076->54587 55077->55070 55079 4036a6 28 API calls 55078->55079 55080 40324c 55079->55080 55080->55070 55081->54644 55086 40f7c2 55084->55086 55085 413549 3 API calls 55085->55086 55086->55085 55087 40f866 55086->55087 55089 40f856 Sleep 55086->55089 55097 40f7f4 55086->55097 55090 40905c 28 API calls 55087->55090 55088 40905c 28 API calls 55088->55097 55089->55086 55093 40f871 55090->55093 55092 41bc5e 28 API calls 55092->55097 55094 41bc5e 28 API calls 55093->55094 55095 40f87d 55094->55095 55119 413814 14 API calls 55095->55119 55097->55088 55097->55089 55097->55092 55099 401f09 11 API calls 55097->55099 55102 402093 28 API calls 55097->55102 55106 41376f 14 API calls 55097->55106 55117 40d096 117 API calls ___scrt_get_show_window_mode 55097->55117 55118 413814 14 API calls 55097->55118 55099->55097 55100 40f890 55101 401f09 11 API calls 55100->55101 55103 40f89c 55101->55103 55102->55097 55104 402093 28 API calls 55103->55104 55105 40f8ad 55104->55105 55107 41376f 14 API calls 55105->55107 55106->55097 55108 40f8c0 55107->55108 55120 412850 TerminateProcess WaitForSingleObject 55108->55120 55110 40f8c8 ExitProcess 55121 4127ee 62 API calls 55116->55121 55118->55097 55119->55100 55120->55110 55122 415d06 55137 41b380 55122->55137 55124 415d0f 55125 4020f6 28 API calls 55124->55125 55126 415d1e 55125->55126 55127 404aa1 61 API calls 55126->55127 55128 415d2a 55127->55128 55129 417089 55128->55129 55130 401fd8 11 API calls 55128->55130 55131 401e8d 11 API calls 55129->55131 55130->55129 55132 417092 55131->55132 55133 401fd8 11 API calls 55132->55133 55134 41709e 55133->55134 55135 401fd8 11 API calls 55134->55135 55136 4170aa 55135->55136 55138 4020df 11 API calls 55137->55138 55139 41b38e 55138->55139 55140 43bd51 ___std_exception_copy 21 API calls 55139->55140 55141 41b39e InternetOpenW InternetOpenUrlW 55140->55141 55142 41b3c5 InternetReadFile 55141->55142 55147 41b3e8 55142->55147 55143 41b415 InternetCloseHandle InternetCloseHandle 55145 41b427 55143->55145 55144 4020b7 28 API calls 55144->55147 55145->55124 55146 401fd8 11 API calls 55146->55147 55147->55142 55147->55143 55147->55144 55147->55146 55148 1000c7a7 55149 1000c7be 55148->55149 55153 1000c82c 55148->55153 55149->55153 55160 1000c7e6 GetModuleHandleA 55149->55160 55150 1000c872 55151 1000c835 GetModuleHandleA 55154 1000c83f 55151->55154 55153->55150 55153->55151 55153->55154 55154->55153 55155 1000c85f GetProcAddress 55154->55155 55155->55153 55156 1000c7dd 55156->55153 55156->55154 55157 1000c800 GetProcAddress 55156->55157 55157->55153 55158 1000c80d VirtualProtect 55157->55158 55158->55153 55159 1000c81c VirtualProtect 55158->55159 55159->55153 55161 1000c7ef 55160->55161 55167 1000c82c 55160->55167 55172 1000c803 GetProcAddress 55161->55172 55163 1000c872 55164 1000c835 GetModuleHandleA 55170 1000c83f 55164->55170 55165 1000c7f4 55166 1000c800 GetProcAddress 55165->55166 55165->55167 55166->55167 55168 1000c80d VirtualProtect 55166->55168 55167->55163 55167->55164 55167->55170 55168->55167 55169 1000c81c VirtualProtect 55168->55169 55169->55167 55170->55167 55171 1000c85f GetProcAddress 55170->55171 55171->55167 55173 1000c82c 55172->55173 55174 1000c80d VirtualProtect 55172->55174 55176 1000c872 55173->55176 55177 1000c835 GetModuleHandleA 55173->55177 55174->55173 55175 1000c81c VirtualProtect 55174->55175 55175->55173 55179 1000c83f 55177->55179 55178 1000c85f GetProcAddress 55178->55179 55179->55173 55179->55178 55180 43be58 55183 43be64 _swprintf CallCatchBlock 55180->55183 55181 43be72 55196 4405dd 20 API calls _Atexit 55181->55196 55183->55181 55184 43be9c 55183->55184 55191 445888 EnterCriticalSection 55184->55191 55186 43bea7 55192 43bf48 55186->55192 55187 43be77 pre_c_initialization CallCatchBlock 55191->55186 55194 43bf56 55192->55194 55193 43beb2 55197 43becf LeaveCriticalSection std::_Lockit::~_Lockit 55193->55197 55194->55193 55198 44976c 37 API calls 2 library calls 55194->55198 55196->55187 55197->55187 55198->55194 55199 100020db 55202 100020e7 ___DestructExceptionObject 55199->55202 55200 100020f6 55201 10002110 dllmain_raw 55201->55200 55203 1000212a 55201->55203 55202->55200 55202->55201 55205 1000210b 55202->55205 55212 10001eec 55203->55212 55205->55200 55206 10002177 55205->55206 55209 10001eec 31 API calls 55205->55209 55206->55200 55207 10001eec 31 API calls 55206->55207 55208 1000218a 55207->55208 55208->55200 55210 10002193 dllmain_raw 55208->55210 55211 1000216d dllmain_raw 55209->55211 55210->55200 55211->55206 55213 10001ef7 55212->55213 55214 10001f2a dllmain_crt_process_detach 55212->55214 55215 10001f1c dllmain_crt_process_attach 55213->55215 55216 10001efc 55213->55216 55220 10001f06 55214->55220 55215->55220 55217 10001f01 55216->55217 55218 10001f12 55216->55218 55217->55220 55222 1000240b 27 API calls 55217->55222 55223 100023ec 29 API calls 55218->55223 55220->55205 55222->55220 55223->55220 55224 40165e 55225 401666 55224->55225 55226 401669 55224->55226 55227 4016a8 55226->55227 55229 401696 55226->55229 55228 4344ea new 22 API calls 55227->55228 55231 40169c 55228->55231 55230 4344ea new 22 API calls 55229->55230 55230->55231 55232 10001f3f 55233 10001f4b ___DestructExceptionObject 55232->55233 55250 1000247c 55233->55250 55235 10001f52 55236 10002041 55235->55236 55237 10001f7c 55235->55237 55244 10001f57 ___scrt_is_nonwritable_in_current_image 55235->55244 55266 10002639 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 55236->55266 55261 100023de IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 55237->55261 55240 10002048 55241 10001f8b __RTC_Initialize 55241->55244 55262 100022fc RtlInitializeSListHead 55241->55262 55243 10001f99 ___scrt_initialize_default_local_stdio_options 55263 100046c5 5 API calls _ValidateLocalCookies 55243->55263 55246 10001fad 55246->55244 55264 100023b3 IsProcessorFeaturePresent ___isa_available_init ___scrt_release_startup_lock 55246->55264 55248 10001fb8 55248->55244 55265 10004669 5 API calls _ValidateLocalCookies 55248->55265 55251 10002485 55250->55251 55267 10002933 IsProcessorFeaturePresent 55251->55267 55253 10002491 55268 100034ea 10 API calls 3 library calls 55253->55268 55255 10002496 55260 1000249a 55255->55260 55269 100053c8 55255->55269 55258 100024b1 55258->55235 55260->55235 55261->55241 55262->55243 55263->55246 55264->55248 55265->55244 55266->55240 55267->55253 55268->55255 55273 10007457 55269->55273 55272 10003529 8 API calls 3 library calls 55272->55260 55274 10007474 55273->55274 55277 10007470 55273->55277 55274->55277 55279 1000731f 55274->55279 55276 100024a3 55276->55258 55276->55272 55284 10002ada 5 API calls ___raise_securityfailure 55277->55284 55280 10007326 55279->55280 55281 10007369 GetStdHandle 55280->55281 55282 100073d1 55280->55282 55283 1000737c GetFileType 55280->55283 55281->55280 55282->55274 55283->55280 55284->55276

                                            Executed Functions

                                            Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                            • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                            • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                            • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                            • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                            • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$LibraryLoad$HandleModule
                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                            • API String ID: 4236061018-3687161714
                                            • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                            • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                            • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                            • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                            Function 004180EF Relevance: 61.5, APIs: 29, Strings: 6, Instructions: 289nativelibraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 448 4180ef-418118 449 41811c-418183 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 418480 449->450 451 418189-418190 449->451 453 418482-41848c 450->453 451->450 452 418196-41819d 451->452 452->450 454 4181a3-4181a5 452->454 454->450 455 4181ab-4181d8 call 436e90 * 2 454->455 455->450 460 4181de-4181e9 455->460 460->450 461 4181ef-41821f CreateProcessW 460->461 462 418225-41824d VirtualAlloc Wow64GetThreadContext 461->462 463 41847a GetLastError 461->463 464 418253-418273 ReadProcessMemory 462->464 465 418444-418478 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->465 463->450 464->465 466 418279-41829b NtCreateSection 464->466 465->450 466->465 467 4182a1-4182ae 466->467 468 4182c1-4182e3 NtMapViewOfSection 467->468 469 4182b0-4182bb NtUnmapViewOfSection 467->469 470 4182e5-418322 VirtualFree NtClose TerminateProcess 468->470 471 41832d-418354 GetCurrentProcess NtMapViewOfSection 468->471 469->468 470->449 472 418328 470->472 471->465 473 41835a-41835e 471->473 472->450 474 418360-418364 473->474 475 418367-418385 call 436910 473->475 474->475 478 4183c7-4183d0 475->478 479 418387-418395 475->479 480 4183f0-4183f4 478->480 481 4183d2-4183d8 478->481 482 418397-4183ba call 436910 479->482 484 4183f6-418413 WriteProcessMemory 480->484 485 418419-418430 Wow64SetThreadContext 480->485 481->480 483 4183da-4183ed call 418503 481->483 491 4183bc-4183c3 482->491 483->480 484->465 488 418415 484->488 485->465 489 418432-41843e ResumeThread 485->489 488->485 489->465 493 418440-418442 489->493 491->478 493->453
                                            APIs
                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                            • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                            • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                            • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                            • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0041822F
                                            • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 0041826B
                                            • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00418293
                                            • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182BB
                                            • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 004182DB
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004182ED
                                            • NtClose.NTDLL(?), ref: 004182F7
                                            • TerminateProcess.KERNELBASE(?,00000000), ref: 00418301
                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                            • NtMapViewOfSection.NTDLL(?,00000000), ref: 0041834C
                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0041840B
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                            • ResumeThread.KERNELBASE(?), ref: 00418435
                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                            • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                            • NtUnmapViewOfSection.NTDLL(00000000), ref: 0041845E
                                            • NtClose.NTDLL(?), ref: 00418468
                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                            • GetLastError.KERNEL32 ref: 0041847A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                            • API String ID: 3150337530-108836778
                                            • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                            • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                            • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                            • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                            Function 0040A2B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1638 40a2b8-40a2cf 1639 40a2d1-40a2eb SetWindowsHookExA 1638->1639 1640 40a333-40a343 GetMessageA 1638->1640 1639->1640 1645 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1639->1645 1641 40a345-40a35d TranslateMessage DispatchMessageA 1640->1641 1642 40a35f 1640->1642 1641->1640 1641->1642 1643 40a361-40a366 1642->1643 1645->1643
                                            APIs
                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                            • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                            • GetLastError.KERNEL32 ref: 0040A2ED
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                            • TranslateMessage.USER32(?), ref: 0040A34A
                                            • DispatchMessageA.USER32(?), ref: 0040A355
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                            • String ID: Keylogger initialization failure: error $`#v
                                            • API String ID: 3219506041-3226811161
                                            • Opcode ID: 718f47324b8862b268baf47dc1492ba3640dfc9c03fb41c98a70d8505363c975
                                            • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                            • Opcode Fuzzy Hash: 718f47324b8862b268baf47dc1492ba3640dfc9c03fb41c98a70d8505363c975
                                            • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                            Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1656 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1663 10001177-1000119e lstrlenW FindFirstFileW 1656->1663 1664 10001168-10001172 lstrlenW 1656->1664 1665 100011a0-100011a8 1663->1665 1666 100011e1-100011e9 1663->1666 1664->1663 1667 100011c7-100011d8 FindNextFileW 1665->1667 1668 100011aa-100011c4 call 10001000 1665->1668 1667->1665 1670 100011da-100011db FindClose 1667->1670 1668->1667 1670->1666
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                            • lstrcatW.KERNEL32(?,?), ref: 10001151
                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                            • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                            • FindClose.KERNELBASE(00000000), ref: 100011DB
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                            • String ID:
                                            • API String ID: 1083526818-0
                                            • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                            • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                            • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                            • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                            Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                            • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                            • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                            Strings
                                            • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$CloseHandleOpen$FileRead
                                            • String ID: http://geoplugin.net/json.gp
                                            • API String ID: 3121278467-91888290
                                            • Opcode ID: 961cfb38cd55e61572119c0efa1b6417dc8b0c9b1577fd71b4996ae3f28eea1b
                                            • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                            • Opcode Fuzzy Hash: 961cfb38cd55e61572119c0efa1b6417dc8b0c9b1577fd71b4996ae3f28eea1b
                                            • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                            Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                            • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                            • GetNativeSystemInfo.KERNELBASE(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                            • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                              • Part of subcall function 00411CA3: VirtualAlloc.KERNELBASE(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                            • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                              • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                              • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                            • String ID:
                                            • API String ID: 3950776272-0
                                            • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                            • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                            • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                            • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                            Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                              • Part of subcall function 00413549: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                              • Part of subcall function 00413549: RegCloseKey.KERNELBASE(?), ref: 00413592
                                            • Sleep.KERNELBASE(00000BB8), ref: 0040F85B
                                            • ExitProcess.KERNEL32 ref: 0040F8CA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                            • String ID: 4.9.4 Pro$override$pth_unenc
                                            • API String ID: 2281282204-930821335
                                            • Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                                            • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                            • Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
                                            • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                            Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,004750E4), ref: 0041B62A
                                            • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Name$ComputerUser
                                            • String ID:
                                            • API String ID: 4229901323-0
                                            • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                            • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                            • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                            • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                            Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InfoLocale
                                            • String ID:
                                            • API String ID: 2299586839-0
                                            • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                            • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                            • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                            • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                            Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 100 40f34f-40f36a call 401fab call 4139a9 call 412475 69->100 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 89 40ec13-40ec1a 79->89 90 40ec0c-40ec0e 79->90 80->79 99 40ebec-40ec02 call 401fab call 4139a9 80->99 94 40ec1c 89->94 95 40ec1e-40ec2a call 41b2c3 89->95 93 40eef1 90->93 93->49 94->95 104 40ec33-40ec37 95->104 105 40ec2c-40ec2e 95->105 99->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 100->126 107 40ec76-40ec89 call 401e65 call 401fab 104->107 108 40ec39 call 407716 104->108 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->127 128 40ec8b call 407755 107->128 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 141 40ec61-40ec67 121->141 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->107 144 40ec69-40ec6f 141->144 144->107 147 40ec71 call 407260 144->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 204 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->204 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->234 183 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->183 184 40ee0f-40ee19 call 409057 181->184 190 40ee1e-40ee42 call 40247c call 434798 183->190 184->190 211 40ee51 190->211 212 40ee44-40ee4f call 436e90 190->212 204->177 218 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 211->218 212->218 272 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 218->272 286 40efc1 234->286 287 40efdc-40efde 234->287 272->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 272->288 290 40efc3-40efda call 41cd9b CreateThread 286->290 291 40efe0-40efe2 287->291 292 40efe4 287->292 288->234 306 40eeef 288->306 293 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->293 291->290 292->293 344 40f101 293->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 293->345 306->93 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 357 40f159-40f16c call 401e65 call 401fab 346->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->358 367 40f1cc-40f1df call 401e65 call 401fab 357->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 401 40f240-40f241 SetProcessDEPPolicy 380->401 402 40f243-40f256 CreateThread 380->402 401->402 406 40f264-40f26b 402->406 407 40f258-40f262 CreateThread 402->407 410 40f279-40f280 406->410 411 40f26d-40f277 CreateThread 406->411 407->406 412 40f282-40f285 410->412 413 40f28e 410->413 411->410 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                            APIs
                                              • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                              • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                              • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                              • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 0040E9EE
                                              • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                            • String ID: 8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-SJ9MVF$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                            • API String ID: 2830904901-3530819195
                                            • Opcode ID: f6f2060d4398d5b2a3b696d69963cb1af651a82ed82d656eaac2ebe4ebfc4826
                                            • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                            • Opcode Fuzzy Hash: f6f2060d4398d5b2a3b696d69963cb1af651a82ed82d656eaac2ebe4ebfc4826
                                            • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                            Function 00414F2A Relevance: 49.8, APIs: 5, Strings: 23, Instructions: 809sleepnetworkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 494 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 507 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 494->507 508 414f74-414f7b Sleep 494->508 523 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->523 524 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->524 508->507 577 4150ec-4150f3 523->577 578 4150de-4150ea 523->578 524->523 579 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 577->579 578->579 606 4151d5-4151e3 call 40482d 579->606 607 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 579->607 612 415210-415225 call 404f51 call 4048c8 606->612 613 4151e5-41520b call 402093 * 2 call 41b4ef 606->613 629 415aa3-415ab5 call 404e26 call 4021fa 607->629 612->629 630 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 612->630 613->629 643 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 629->643 644 415add-415ae5 call 401e8d 629->644 694 415380-41538d call 405aa6 630->694 695 415392-4153b9 call 401fab call 4135a6 630->695 643->644 644->523 694->695 701 4153c0-415a0a call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 695->701 702 4153bb-4153bd 695->702 947 415a0f-415a16 701->947 702->701 948 415a18-415a1f 947->948 949 415a2a-415a31 947->949 948->949 952 415a21-415a23 948->952 950 415a33-415a38 call 40b051 949->950 951 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 949->951 950->951 963 415a71-415a7d CreateThread 951->963 964 415a83-415a9e call 401fd8 * 2 call 401f09 951->964 952->949 963->964 964->629
                                            APIs
                                            • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                            • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                            • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep$ErrorLastLocalTime
                                            • String ID: | $%I64u$4.9.4 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-SJ9MVF$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                            • API String ID: 524882891-1151609004
                                            • Opcode ID: fa3a71bb64d27a01e2cd29937b6efa7514db7cfaa77eb31eadfe724eddc07f9e
                                            • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                            • Opcode Fuzzy Hash: fa3a71bb64d27a01e2cd29937b6efa7514db7cfaa77eb31eadfe724eddc07f9e
                                            • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                            Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 971 412ab4-412afd GetModuleFileNameW call 4020df * 3 978 412aff-412b89 call 41b978 call 401fab call 40d9e8 call 401fd8 call 41b978 call 401fab call 40d9e8 call 401fd8 call 41b978 call 401fab call 40d9e8 call 401fd8 971->978 1003 412b8b-412c1b call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 978->1003 1026 412c2b 1003->1026 1027 412c1d-412c25 Sleep 1003->1027 1028 412c2d-412cbd call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 1026->1028 1027->1003 1027->1026 1051 412ccd 1028->1051 1052 412cbf-412cc7 Sleep 1028->1052 1053 412ccf-412d5f call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 418568 call 401f09 * 4 1051->1053 1052->1028 1052->1051 1076 412d61-412d69 Sleep 1053->1076 1077 412d6f-412d94 1053->1077 1076->1053 1076->1077 1078 412d98-412db4 call 401f04 call 41c485 1077->1078 1083 412db6-412dc5 call 401f04 DeleteFileW 1078->1083 1084 412dcb-412de7 call 401f04 call 41c485 1078->1084 1083->1084 1091 412e04 1084->1091 1092 412de9-412e02 call 401f04 DeleteFileW 1084->1092 1094 412e08-412e24 call 401f04 call 41c485 1091->1094 1092->1094 1100 412e26-412e38 call 401f04 DeleteFileW 1094->1100 1101 412e3e-412e40 1094->1101 1100->1101 1103 412e42-412e44 1101->1103 1104 412e4d-412e58 Sleep 1101->1104 1103->1104 1106 412e46-412e4b 1103->1106 1104->1078 1107 412e5e-412e70 call 406b28 1104->1107 1106->1104 1106->1107 1110 412e72-412e80 call 406b28 1107->1110 1111 412ec6-412ee5 call 401f09 * 3 1107->1111 1110->1111 1117 412e82-412e90 call 406b28 1110->1117 1122 412eea-412f4e call 40b904 call 401f04 call 4020f6 call 41322d call 401f09 call 405b05 1111->1122 1117->1111 1123 412e92-412ebe Sleep call 401f09 * 3 1117->1123 1143 412f54-4130a3 call 41bd1e call 41bb8e call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1122->1143 1144 4130a8-413151 call 41bd1e call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 1122->1144 1123->978 1137 412ec4 1123->1137 1137->1122 1213 4131a5-41322c call 401fd8 call 401f09 call 401fd8 * 9 1143->1213 1183 413156-4131a1 call 401fd8 * 7 1144->1183 1183->1213
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                              • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                              • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                            • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                            • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                            • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                            • DeleteFileW.KERNELBASE(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                            • DeleteFileW.KERNELBASE(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                            • DeleteFileW.KERNELBASE(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                            • Sleep.KERNELBASE(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                            • Sleep.KERNEL32(00000064), ref: 00412E94
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                            • String ID: /stext "$0TG$0TG$NG$NG
                                            • API String ID: 1223786279-2576077980
                                            • Opcode ID: 76d926ec511b1af110b970dbc33056e1a2348894721dd65b52e50139ae7f6007
                                            • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                            • Opcode Fuzzy Hash: 76d926ec511b1af110b970dbc33056e1a2348894721dd65b52e50139ae7f6007
                                            • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                            Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                              • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                              • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                              • Part of subcall function 100010F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                              • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                              • Part of subcall function 100010F1: FindClose.KERNELBASE(00000000), ref: 100011DB
                                            • lstrlenW.KERNEL32(?), ref: 100014C5
                                            • lstrlenW.KERNEL32(?), ref: 100014E0
                                            • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                            • lstrcatW.KERNEL32(00000000), ref: 10001521
                                            • lstrlenW.KERNEL32(?,?), ref: 10001547
                                            • lstrcatW.KERNEL32(00000000), ref: 10001553
                                            • lstrlenW.KERNEL32(?,?), ref: 10001579
                                            • lstrcatW.KERNEL32(00000000), ref: 10001585
                                            • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                            • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                            • String ID: )$Foxmail$ProgramFiles
                                            • API String ID: 672098462-2938083778
                                            • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                            • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                            • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                            • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                            Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • Sleep.KERNELBASE(00001388), ref: 0040A740
                                              • Part of subcall function 0040A675: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                              • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                              • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                              • Part of subcall function 0040A675: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                            • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 0040A77C
                                            • GetFileAttributesW.KERNELBASE(00000000), ref: 0040A78D
                                            • SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 0040A7A4
                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                              • Part of subcall function 0041C485: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                                            • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                            • API String ID: 110482706-1152054767
                                            • Opcode ID: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
                                            • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                            • Opcode Fuzzy Hash: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
                                            • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                            Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1384 4048c8-4048e8 connect 1385 404a1b-404a1f 1384->1385 1386 4048ee-4048f1 1384->1386 1389 404a21-404a2f WSAGetLastError 1385->1389 1390 404a97 1385->1390 1387 404a17-404a19 1386->1387 1388 4048f7-4048fa 1386->1388 1391 404a99-404a9e 1387->1391 1392 404926-404930 call 420c60 1388->1392 1393 4048fc-404923 call 40531e call 402093 call 41b4ef 1388->1393 1389->1390 1394 404a31-404a34 1389->1394 1390->1391 1405 404941-40494e call 420e8f 1392->1405 1406 404932-40493c 1392->1406 1393->1392 1395 404a71-404a76 1394->1395 1396 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1394->1396 1401 404a7b-404a94 call 402093 * 2 call 41b4ef 1395->1401 1396->1390 1401->1390 1419 404950-404973 call 402093 * 2 call 41b4ef 1405->1419 1420 404987-404992 call 421a40 1405->1420 1406->1401 1445 404976-404982 call 420ca0 1419->1445 1430 4049c4-4049d1 call 420e06 1420->1430 1431 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1420->1431 1442 4049d3-4049f6 call 402093 * 2 call 41b4ef 1430->1442 1443 4049f9-404a14 CreateEventW * 2 1430->1443 1431->1445 1442->1443 1443->1387 1445->1390
                                            APIs
                                            • connect.WS2_32(FFFFFFFF,01099ED0,00000010), ref: 004048E0
                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                            • WSAGetLastError.WS2_32 ref: 00404A21
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                            • API String ID: 994465650-2151626615
                                            • Opcode ID: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
                                            • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                            • Opcode Fuzzy Hash: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
                                            • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                            Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                            • closesocket.WS2_32(000000FF), ref: 00404E5A
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                            • String ID:
                                            • API String ID: 2403171778-0
                                            • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                            • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                            • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                            • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                            Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • __Init_thread_footer.LIBCMT ref: 0040AD38
                                            • Sleep.KERNELBASE(000001F4), ref: 0040AD43
                                            • GetForegroundWindow.USER32 ref: 0040AD49
                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                            • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                            • String ID: [${ User has been idle for $ minutes }$]
                                            • API String ID: 911427763-3954389425
                                            • Opcode ID: 11deb2e1d1f8f3844bb158fc8ccdcdbeb0aecbc925d29af6944428c3672480c4
                                            • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                            • Opcode Fuzzy Hash: 11deb2e1d1f8f3844bb158fc8ccdcdbeb0aecbc925d29af6944428c3672480c4
                                            • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                            Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1556 40da34-40da59 call 401f86 1559 40db83-40dc1b call 401f04 GetLongPathNameW call 40417e * 2 call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1556->1559 1560 40da5f 1556->1560 1562 40da70-40da7e call 41b5b4 call 401f13 1560->1562 1563 40da91-40da96 1560->1563 1564 40db51-40db56 1560->1564 1565 40daa5-40daac call 41bfb7 1560->1565 1566 40da66-40da6b 1560->1566 1567 40db58-40db5d 1560->1567 1568 40da9b-40daa0 1560->1568 1569 40db6e 1560->1569 1570 40db5f-40db64 call 43c0cf 1560->1570 1587 40da83 1562->1587 1572 40db73-40db78 call 43c0cf 1563->1572 1564->1572 1582 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1565->1582 1583 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1565->1583 1566->1572 1567->1572 1568->1572 1569->1572 1578 40db69-40db6c 1570->1578 1584 40db79-40db7e call 409057 1572->1584 1578->1569 1578->1584 1582->1587 1592 40da87-40da8c call 401f09 1583->1592 1584->1559 1587->1592 1592->1559
                                            APIs
                                            • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LongNamePath
                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                            • API String ID: 82841172-425784914
                                            • Opcode ID: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                            • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                            • Opcode Fuzzy Hash: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                            • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                            Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1690 41c3f1-41c402 1691 41c404-41c407 1690->1691 1692 41c41a-41c421 1690->1692 1693 41c410-41c418 1691->1693 1694 41c409-41c40e 1691->1694 1695 41c422-41c43b CreateFileW 1692->1695 1693->1695 1694->1695 1696 41c441-41c446 1695->1696 1697 41c43d-41c43f 1695->1697 1699 41c461-41c472 WriteFile 1696->1699 1700 41c448-41c456 SetFilePointer 1696->1700 1698 41c47f-41c484 1697->1698 1701 41c474 1699->1701 1702 41c476-41c47d FindCloseChangeNotification 1699->1702 1700->1699 1703 41c458-41c45f CloseHandle 1700->1703 1701->1702 1702->1698 1703->1697
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 0041C44D
                                            • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                            • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0041C477
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                            • String ID: hpF
                                            • API String ID: 1087594267-151379673
                                            • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                            • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                            • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                            • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                            Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                              • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                              • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                              • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                              • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                            • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CloseCurrentOpenQueryValueWow64
                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                            • API String ID: 782494840-2070987746
                                            • Opcode ID: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
                                            • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                            • Opcode Fuzzy Hash: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
                                            • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                            Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                              • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                              • Part of subcall function 1000C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                              • Part of subcall function 1000C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProcProtectVirtual
                                            • String ID:
                                            • API String ID: 2099061454-0
                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                            • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                            • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                            Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                            • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                                            • String ID: XQG
                                            • API String ID: 4068920109-3606453820
                                            • Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                            • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                            • Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                            • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                            Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                              • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                              • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                              • Part of subcall function 1000C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProcProtectVirtual
                                            • String ID:
                                            • API String ID: 2099061454-0
                                            • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                            • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                            • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                            • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                            Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                            • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                            • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                            • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressProcProtectVirtual$HandleModule
                                            • String ID:
                                            • API String ID: 2152742572-0
                                            • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                            • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                            • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                            • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                            Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountEventTick
                                            • String ID: !D@$NG
                                            • API String ID: 180926312-2721294649
                                            • Opcode ID: dedc2e9dadc4ad48971683b8b510cb0f0f250a46bc66036b7c2326b62641d59e
                                            • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                            • Opcode Fuzzy Hash: dedc2e9dadc4ad48971683b8b510cb0f0f250a46bc66036b7c2326b62641d59e
                                            • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                            Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread$LocalTimewsprintf
                                            • String ID: Offline Keylogger Started
                                            • API String ID: 465354869-4114347211
                                            • Opcode ID: bde4462d29761b0d23c786235d2939a769aa686a4d808022a739f1360b93890e
                                            • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                            • Opcode Fuzzy Hash: bde4462d29761b0d23c786235d2939a769aa686a4d808022a739f1360b93890e
                                            • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                            Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                            Strings
                                            • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Create$EventLocalThreadTime
                                            • String ID: KeepAlive | Enabled | Timeout:
                                            • API String ID: 2532271599-1507639952
                                            • Opcode ID: 5b2464df5b8dac7f4146cdbfda56de71be1ea15fa094643bc8b0c6bbca94d29d
                                            • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                            • Opcode Fuzzy Hash: 5b2464df5b8dac7f4146cdbfda56de71be1ea15fa094643bc8b0c6bbca94d29d
                                            • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                            Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                            • RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                                            • RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseCreateValue
                                            • String ID: pth_unenc
                                            • API String ID: 1818849710-4028850238
                                            • Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                            • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                            • Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
                                            • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                            Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                            • CreateThread.KERNELBASE(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00404DDB
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                            • String ID:
                                            • API String ID: 2579639479-0
                                            • Opcode ID: 028699b46d8dcb15adfbe87a9e01acdc95aa5578d040106dea6d7dbf46413c9a
                                            • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                            • Opcode Fuzzy Hash: 028699b46d8dcb15adfbe87a9e01acdc95aa5578d040106dea6d7dbf46413c9a
                                            • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                            Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0041C4E5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$ChangeCloseCreateFindNotificationReadSize
                                            • String ID:
                                            • API String ID: 2135649906-0
                                            • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                            • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                            • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
                                            • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                            Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                            • GetLastError.KERNEL32 ref: 0040D083
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateErrorLastMutex
                                            • String ID: Rmc-SJ9MVF
                                            • API String ID: 1925916568-489630346
                                            • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                            • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                            • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                            • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                            Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                            • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: EventObjectSingleWaitsend
                                            • String ID:
                                            • API String ID: 3963590051-0
                                            • Opcode ID: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
                                            • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                                            • Opcode Fuzzy Hash: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
                                            • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                                            Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                            • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID:
                                            • API String ID: 3677997916-0
                                            • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                            • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                            • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                            • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                            Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                            • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                            • RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID:
                                            • API String ID: 3677997916-0
                                            • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                            • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                            • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                            • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                            Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                            • RegCloseKey.KERNELBASE(?), ref: 00413592
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID:
                                            • API String ID: 3677997916-0
                                            • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                            • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                            • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                            • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                            Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                            • RegCloseKey.KERNELBASE(?,?,?,0040C19C,00466C48), ref: 00413535
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID:
                                            • API String ID: 3677997916-0
                                            • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                            • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                            • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                            • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                            Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                            • RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                            • RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseCreateValue
                                            • String ID:
                                            • API String ID: 1818849710-0
                                            • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                            • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                            • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                            • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                            Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                            • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                            • recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: EventObjectSingleWaitrecv
                                            • String ID:
                                            • API String ID: 311754179-0
                                            • Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                            • Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
                                            • Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                            • Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5
                                            Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _wcslen
                                            • String ID: pQG
                                            • API String ID: 176396367-3769108836
                                            • Opcode ID: e8998cf28dcd9718db14c62255f57e315091e6a51e3e070f68c79c0d4cc3fbb9
                                            • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                            • Opcode Fuzzy Hash: e8998cf28dcd9718db14c62255f57e315091e6a51e3e070f68c79c0d4cc3fbb9
                                            • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                            Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0041B7CA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID: @
                                            • API String ID: 1890195054-2766056989
                                            • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                            • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                            • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                            • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                            Function 1000731F Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(000000F6), ref: 1000736B
                                            • GetFileType.KERNELBASE(00000000), ref: 1000737D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FileHandleType
                                            • String ID:
                                            • API String ID: 3000768030-0
                                            • Opcode ID: 1840a6b79673b13cd3d072b9ddd79dce05a280615f1340ab33f998355891a153
                                            • Instruction ID: e86c036d32a0859c32490e3d1b68e1c75febfc356a3e106fe76682d7938830a3
                                            • Opcode Fuzzy Hash: 1840a6b79673b13cd3d072b9ddd79dce05a280615f1340ab33f998355891a153
                                            • Instruction Fuzzy Hash: 8B11E731D04B5286F330CA3D8C84616AAD5F7421F0B350729DCBED26F9C738DA82B641
                                            Function 00449BF0 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
                                            • GetFileType.KERNELBASE(00000000), ref: 00449C4E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileHandleType
                                            • String ID:
                                            • API String ID: 3000768030-0
                                            • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                            • Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
                                            • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                            • Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49
                                            Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                              • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateEventStartupsocket
                                            • String ID:
                                            • API String ID: 1953588214-0
                                            • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                            • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                            • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                            • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                            Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                            Download Yara Rule
                                            APIs
                                            • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                            • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                            • String ID:
                                            • API String ID: 3750050125-0
                                            • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                            • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                            • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                            • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                            Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                            • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                            • Opcode Fuzzy Hash: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                            • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                            Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32 ref: 0041BAB8
                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Window$ForegroundText
                                            • String ID:
                                            • API String ID: 29597999-0
                                            • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                            • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                            • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                            • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                            Function 004118B2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
                                            • Instruction ID: 7a76c105a712203ac593d2e3a9180375903654e9edbd33c69f6c8f8a5c58a470
                                            • Opcode Fuzzy Hash: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
                                            • Instruction Fuzzy Hash: 971123B27201019FD7149B18C890FA6B76AFF51721B59425AE202CB3B2DB30EC91C694
                                            Function 004500D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00445AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                                            • _free.LIBCMT ref: 00450140
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap_free
                                            • String ID:
                                            • API String ID: 614378929-0
                                            • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                            • Instruction ID: a633634cbf7549e5c455a263606fb7810d0d6e042387cb83ce13a77316281608
                                            • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                            • Instruction Fuzzy Hash: 67014E761007449BE3218F59D881D5AFBD8FB85374F25061EE5D4532C1EA746805C779
                                            Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                            • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                                            • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                            • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                                            Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                            • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                            • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                            • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                            Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Startup
                                            • String ID:
                                            • API String ID: 724789610-0
                                            • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                            • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                            • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                            • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                            Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Deallocatestd::_
                                            • String ID:
                                            • API String ID: 1323251999-0
                                            • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                            • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                            • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                            • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                            Function 00411CA3 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAlloc.KERNELBASE(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                            • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                            • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                            • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                            Non-executed Functions

                                            Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                            • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                            • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                              • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                              • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                              • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                            • DeleteFileA.KERNEL32(?), ref: 00408652
                                              • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                              • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                              • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                              • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                            • Sleep.KERNEL32(000007D0), ref: 004086F8
                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                              • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                            • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                            • API String ID: 1067849700-181434739
                                            • Opcode ID: 4f146eea14745ebcfbd61c90114e3ddb7af8b02f27df9f5477665baad6dbf6e0
                                            • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                            • Opcode Fuzzy Hash: 4f146eea14745ebcfbd61c90114e3ddb7af8b02f27df9f5477665baad6dbf6e0
                                            • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                            Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __Init_thread_footer.LIBCMT ref: 004056E6
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • __Init_thread_footer.LIBCMT ref: 00405723
                                            • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                            • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                            • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                            • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                            • CloseHandle.KERNEL32 ref: 00405A23
                                            • CloseHandle.KERNEL32 ref: 00405A2B
                                            • CloseHandle.KERNEL32 ref: 00405A3D
                                            • CloseHandle.KERNEL32 ref: 00405A45
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                            • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                            • API String ID: 2994406822-18413064
                                            • Opcode ID: d822b09cf1c83d37968f1791560ca3d4abf36940af86ae54e3bb9bd7b62a3c98
                                            • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                            • Opcode Fuzzy Hash: d822b09cf1c83d37968f1791560ca3d4abf36940af86ae54e3bb9bd7b62a3c98
                                            • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                            Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcessId.KERNEL32 ref: 00412106
                                              • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                              • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                              • Part of subcall function 00413877: RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                            • CloseHandle.KERNEL32(00000000), ref: 00412155
                                            • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                            • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                            • API String ID: 3018269243-13974260
                                            • Opcode ID: 9d119246e84025a970330983d704997797f1987c408abeed7c2a75e62c7f15ce
                                            • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                            • Opcode Fuzzy Hash: 9d119246e84025a970330983d704997797f1987c408abeed7c2a75e62c7f15ce
                                            • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                            Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                            • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                            • FindClose.KERNEL32(00000000), ref: 0040BD12
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                            • API String ID: 1164774033-3681987949
                                            • Opcode ID: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
                                            • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                            • Opcode Fuzzy Hash: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
                                            • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                            Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenClipboard.USER32 ref: 004168C2
                                            • EmptyClipboard.USER32 ref: 004168D0
                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                            • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                            • CloseClipboard.USER32 ref: 00416955
                                            • OpenClipboard.USER32 ref: 0041695C
                                            • GetClipboardData.USER32(0000000D), ref: 0041696C
                                            • GlobalLock.KERNEL32(00000000), ref: 00416975
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                            • CloseClipboard.USER32 ref: 00416984
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                            • String ID: !D@
                                            • API String ID: 3520204547-604454484
                                            • Opcode ID: 87d49a8bb6f540de46fc3d8776ee09c35eeed2095cf9406eee51325eb26e7f5f
                                            • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                            • Opcode Fuzzy Hash: 87d49a8bb6f540de46fc3d8776ee09c35eeed2095cf9406eee51325eb26e7f5f
                                            • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                            Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                            • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                            • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                            • FindClose.KERNEL32(00000000), ref: 0040BED0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$Close$File$FirstNext
                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                            • API String ID: 3527384056-432212279
                                            • Opcode ID: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
                                            • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                            • Opcode Fuzzy Hash: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
                                            • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                            Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                            • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                            • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                            • CloseHandle.KERNEL32(?), ref: 00413465
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                            • String ID:
                                            • API String ID: 297527592-0
                                            • Opcode ID: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
                                            • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                            • Opcode Fuzzy Hash: cbaf96c0539d14e3bfc579cb390cbf1a6d01f92e477562203843d299bee7c5bd
                                            • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                            Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                            • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                            • API String ID: 3756808967-1743721670
                                            • Opcode ID: 90faf2f721b21ffb45675a87819334aaa6a04f4aded6564cc26d2d7333f5989a
                                            • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                            • Opcode Fuzzy Hash: 90faf2f721b21ffb45675a87819334aaa6a04f4aded6564cc26d2d7333f5989a
                                            • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                            Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 0$1$2$3$4$5$6$7$VG
                                            • API String ID: 0-1861860590
                                            • Opcode ID: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
                                            • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                            • Opcode Fuzzy Hash: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
                                            • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                            Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • _wcslen.LIBCMT ref: 00407521
                                            • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Object_wcslen
                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                            • API String ID: 240030777-3166923314
                                            • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                            • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                            • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                            • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                            Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                            • GetLastError.KERNEL32 ref: 0041A7BB
                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                            • String ID:
                                            • API String ID: 3587775597-0
                                            • Opcode ID: 6acfec477c33960adb53ca531a04b71f608e95b4af76d4dccda85eb8d0b50c1e
                                            • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                            • Opcode Fuzzy Hash: 6acfec477c33960adb53ca531a04b71f608e95b4af76d4dccda85eb8d0b50c1e
                                            • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                            Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                            • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                            • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                            • String ID: lJD$lJD$lJD
                                            • API String ID: 745075371-479184356
                                            • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                            • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                            • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                            • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                            Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                            • FindClose.KERNEL32(00000000), ref: 0040C47D
                                            • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                            • API String ID: 1164774033-405221262
                                            • Opcode ID: a34705f68051002ea99731e8adc2113364d280835ee8f946c00b440953ebf762
                                            • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                            • Opcode Fuzzy Hash: a34705f68051002ea99731e8adc2113364d280835ee8f946c00b440953ebf762
                                            • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                            Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                                              • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                                            • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                            • String ID:
                                            • API String ID: 2341273852-0
                                            • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                            • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                            • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                            • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                            Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                              • Part of subcall function 0041C485: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Find$CreateFirstNext
                                            • String ID: 8SG$PXG$PXG$NG$PG
                                            • API String ID: 341183262-3812160132
                                            • Opcode ID: b022304c27adff8fd39335163145ce7540c7207297e3c92f81a0993595b3cc26
                                            • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                            • Opcode Fuzzy Hash: b022304c27adff8fd39335163145ce7540c7207297e3c92f81a0993595b3cc26
                                            • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                            Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                            • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                            • GetKeyState.USER32(00000010), ref: 0040A433
                                            • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                            • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                            • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                            • String ID:
                                            • API String ID: 1888522110-0
                                            • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                            • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                            • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                            • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                            Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                            • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                            • API String ID: 2127411465-314212984
                                            • Opcode ID: 6731f6da6f8a297f85fcb12c49c5e4a50a6500941c9d491d37afae9de194af20
                                            • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                            • Opcode Fuzzy Hash: 6731f6da6f8a297f85fcb12c49c5e4a50a6500941c9d491d37afae9de194af20
                                            • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                            Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00449212
                                            • _free.LIBCMT ref: 00449236
                                            • _free.LIBCMT ref: 004493BD
                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                            • _free.LIBCMT ref: 00449589
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                            • String ID:
                                            • API String ID: 314583886-0
                                            • Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                            • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                            • Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
                                            • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                            Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                              • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                              • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                              • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                              • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                            • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                            • String ID: !D@$PowrProf.dll$SetSuspendState
                                            • API String ID: 1589313981-2876530381
                                            • Opcode ID: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
                                            • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                            • Opcode Fuzzy Hash: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
                                            • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                            Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                            • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                            • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InfoLocale
                                            • String ID: ACP$OCP$['E
                                            • API String ID: 2299586839-2532616801
                                            • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                            • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                            • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                            • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                            Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                            • GetLastError.KERNEL32 ref: 0040BA58
                                            Strings
                                            • UserProfile, xrefs: 0040BA1E
                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                            • [Chrome StoredLogins not found], xrefs: 0040BA72
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DeleteErrorFileLast
                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                            • API String ID: 2018770650-1062637481
                                            • Opcode ID: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
                                            • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                            • Opcode Fuzzy Hash: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
                                            • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                            Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                            • GetLastError.KERNEL32 ref: 0041799D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                            • String ID: SeShutdownPrivilege
                                            • API String ID: 3534403312-3733053543
                                            • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                            • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                            • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                            • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                            Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 00409258
                                              • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,01099ED0,00000010), ref: 004048E0
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                            • FindClose.KERNEL32(00000000), ref: 004093C1
                                              • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                              • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                              • Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                            • FindClose.KERNEL32(00000000), ref: 004095B9
                                              • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                              • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                                            • String ID:
                                            • API String ID: 2435342581-0
                                            • Opcode ID: b872af409f18d4e2bb7bbba0f0478c6e37307eeb8e5c6a27a813a89ef4a7cb37
                                            • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                            • Opcode Fuzzy Hash: b872af409f18d4e2bb7bbba0f0478c6e37307eeb8e5c6a27a813a89ef4a7cb37
                                            • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                            Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                            • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                            • String ID:
                                            • API String ID: 276877138-0
                                            • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                            • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                            • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
                                            • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                            Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                            • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                            • _wcschr.LIBVCRUNTIME ref: 00451E58
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                            • String ID: sJD
                                            • API String ID: 4212172061-3536923933
                                            • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                            • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                            • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                            • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                            Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                            • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                            • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                            • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Resource$FindLoadLockSizeof
                                            • String ID: SETTINGS
                                            • API String ID: 3473537107-594951305
                                            • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                            • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                            • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                            • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                            Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 0040966A
                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseFirstH_prologNext
                                            • String ID:
                                            • API String ID: 1157919129-0
                                            • Opcode ID: 4a325c590a34807a26d63d289d9f2ec3f664a0255ff010795f7d94bc543c6bf4
                                            • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                            • Opcode Fuzzy Hash: 4a325c590a34807a26d63d289d9f2ec3f664a0255ff010795f7d94bc543c6bf4
                                            • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                            Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 00408811
                                            • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                            • String ID:
                                            • API String ID: 1771804793-0
                                            • Opcode ID: 9a638f232f7986981f55bddf65949b622a13160512e68c16031e1c55a9115e6e
                                            • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                            • Opcode Fuzzy Hash: 9a638f232f7986981f55bddf65949b622a13160512e68c16031e1c55a9115e6e
                                            • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                            Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DownloadExecuteFileShell
                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$open
                                            • API String ID: 2825088817-2881483049
                                            • Opcode ID: f1941036226fa54e6043914fd463a0f574d918fd3174e9f6e0778fc81caab277
                                            • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                            • Opcode Fuzzy Hash: f1941036226fa54e6043914fd463a0f574d918fd3174e9f6e0778fc81caab277
                                            • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                            Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileFind$FirstNextsend
                                            • String ID: XPG$XPG
                                            • API String ID: 4113138495-1962359302
                                            • Opcode ID: 8ec9f0cc365a37df7811e5b4f0ae14501dc80df39e96773c8ea2da6c59a756f9
                                            • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                            • Opcode Fuzzy Hash: 8ec9f0cc365a37df7811e5b4f0ae14501dc80df39e96773c8ea2da6c59a756f9
                                            • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                            Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                              • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                              • Part of subcall function 0041376F: RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                                              • Part of subcall function 0041376F: RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseCreateInfoParametersSystemValue
                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                            • API String ID: 4127273184-3576401099
                                            • Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                                            • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                            • Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
                                            • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                            Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                            • String ID:
                                            • API String ID: 2829624132-0
                                            • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                            • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                            • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                            • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                            Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00000000), ref: 00433849
                                            • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                            • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Crypt$Context$AcquireRandomRelease
                                            • String ID:
                                            • API String ID: 1815803762-0
                                            • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                            • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                            • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                            • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                            Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                            • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                            • ExitProcess.KERNEL32 ref: 10004AEE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Process$CurrentExitTerminate
                                            • String ID:
                                            • API String ID: 1703294689-0
                                            • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                            • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                            • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                            • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                            Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                            • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                            • ExitProcess.KERNEL32 ref: 004432EF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CurrentExitTerminate
                                            • String ID:
                                            • API String ID: 1703294689-0
                                            • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                            • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                            • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                            • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                            Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenClipboard.USER32(00000000), ref: 0040B711
                                            • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                            • CloseClipboard.USER32 ref: 0040B725
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Clipboard$CloseDataOpen
                                            • String ID:
                                            • API String ID: 2058664381-0
                                            • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                            • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                            • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                            • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                            Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                                            • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                                            • CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CloseHandleOpenSuspend
                                            • String ID:
                                            • API String ID: 1999457699-0
                                            • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                            • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                                            • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                            • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                                            Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                                            • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                                            • CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CloseHandleOpenResume
                                            • String ID:
                                            • API String ID: 3614150671-0
                                            • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                            • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                                            • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                            • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                                            Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .
                                            • API String ID: 0-248832578
                                            • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                            • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                            • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                            • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                            Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: .
                                            • API String ID: 0-248832578
                                            • Opcode ID: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                                            • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                            • Opcode Fuzzy Hash: 467a2b870f27eeaba5f3d85303d6c443c91537f9433fd9512f86f3d9895b4a39
                                            • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                            Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                            • String ID: lJD
                                            • API String ID: 1084509184-3316369744
                                            • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                            • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                            • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                            • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                            Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                            • String ID: lJD
                                            • API String ID: 1084509184-3316369744
                                            • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                            • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                            • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                            • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                            Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InfoLocale
                                            • String ID: GetLocaleInfoEx
                                            • API String ID: 2299586839-2904428671
                                            • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                            • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                            • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                            • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                            Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                            • String ID:
                                            • API String ID: 1663032902-0
                                            • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                            • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                            • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                            • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                            Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$InfoLocale_abort_free
                                            • String ID:
                                            • API String ID: 2692324296-0
                                            • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                            • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                            • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                            • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                            Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                            • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                            • String ID:
                                            • API String ID: 1272433827-0
                                            • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                            • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                            • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                            • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                            Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                            • String ID:
                                            • API String ID: 1084509184-0
                                            • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                            • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                            • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                            • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                            Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                            • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                              • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                            • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                            • DeleteDC.GDI32(00000000), ref: 00418F2A
                                            • DeleteDC.GDI32(00000000), ref: 00418F2D
                                            • DeleteObject.GDI32(00000000), ref: 00418F30
                                            • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                            • DeleteDC.GDI32(00000000), ref: 00418F62
                                            • DeleteDC.GDI32(00000000), ref: 00418F65
                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                            • GetCursorInfo.USER32(?), ref: 00418FA7
                                            • GetIconInfo.USER32(?,?), ref: 00418FBD
                                            • DeleteObject.GDI32(?), ref: 00418FEC
                                            • DeleteObject.GDI32(?), ref: 00418FF9
                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                            • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                            • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                            • DeleteDC.GDI32(?), ref: 0041917C
                                            • DeleteDC.GDI32(00000000), ref: 0041917F
                                            • DeleteObject.GDI32(00000000), ref: 00419182
                                            • GlobalFree.KERNEL32(?), ref: 0041918D
                                            • DeleteObject.GDI32(00000000), ref: 00419241
                                            • GlobalFree.KERNEL32(?), ref: 00419248
                                            • DeleteDC.GDI32(?), ref: 00419258
                                            • DeleteDC.GDI32(00000000), ref: 00419263
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                            • String ID: DISPLAY
                                            • API String ID: 4256916514-865373369
                                            • Opcode ID: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
                                            • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                            • Opcode Fuzzy Hash: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
                                            • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                            Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                              • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                              • Part of subcall function 0041C3F1: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                            • ExitProcess.KERNEL32 ref: 0040D7D0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                            • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                            • API String ID: 1861856835-332907002
                                            • Opcode ID: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                                            • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                            • Opcode Fuzzy Hash: e9f8996b9413f065d588b702d7c496c9e290e02a5e9f4f4bb55cf67c86df2bed
                                            • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                            Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                              • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                              • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                            • ExitProcess.KERNEL32 ref: 0040D419
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                            • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                            • API String ID: 3797177996-2557013105
                                            • Opcode ID: 05e3ec18fa8463a6322569f1bb3c1d7af6336844a107ad2f8429c4fb3964e9d7
                                            • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                            • Opcode Fuzzy Hash: 05e3ec18fa8463a6322569f1bb3c1d7af6336844a107ad2f8429c4fb3964e9d7
                                            • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                            Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                            • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                            • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                            • GetCurrentProcessId.KERNEL32 ref: 00412541
                                            • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                            • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                            • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                              • Part of subcall function 0041C3F1: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                            • Sleep.KERNEL32(000001F4), ref: 00412682
                                            • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                            • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                            • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                            • String ID: .exe$8SG$WDH$exepath$open$temp_
                                            • API String ID: 2649220323-436679193
                                            • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                            • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                            • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
                                            • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                            Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                            • SetEvent.KERNEL32 ref: 0041B219
                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                            • CloseHandle.KERNEL32 ref: 0041B23A
                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                            • API String ID: 738084811-2094122233
                                            • Opcode ID: 50832f8bf9a84463f1ce31ba7bee2e24b45050ddeed62568717ea9fad8fd07d9
                                            • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                            • Opcode Fuzzy Hash: 50832f8bf9a84463f1ce31ba7bee2e24b45050ddeed62568717ea9fad8fd07d9
                                            • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                            Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                            • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                            • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                            • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$Write$Create
                                            • String ID: RIFF$WAVE$data$fmt
                                            • API String ID: 1602526932-4212202414
                                            • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                            • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                            • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                            • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                            Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                            • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                            • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                            • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                            • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                            • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                            • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                            • API String ID: 1646373207-4283035339
                                            • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                            • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                            • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                            • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                            Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                              • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                              • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                            • _strlen.LIBCMT ref: 10001855
                                            • _strlen.LIBCMT ref: 10001869
                                            • _strlen.LIBCMT ref: 1000188B
                                            • _strlen.LIBCMT ref: 100018AE
                                            • _strlen.LIBCMT ref: 100018C8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _strlen$File$CopyCreateDelete
                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                            • API String ID: 3296212668-3023110444
                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                            • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                            • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                            Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _wcslen.LIBCMT ref: 0040CE07
                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                            • _wcslen.LIBCMT ref: 0040CEE6
                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000000,00000000), ref: 0040CF84
                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                            • _wcslen.LIBCMT ref: 0040CFC6
                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                            • ExitProcess.KERNEL32 ref: 0040D062
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                            • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$del$open
                                            • API String ID: 1579085052-1506045317
                                            • Opcode ID: 37bf41b36f569e96123a73dee1261e03dac0feab31b5a087a033d73400f0ce52
                                            • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                            • Opcode Fuzzy Hash: 37bf41b36f569e96123a73dee1261e03dac0feab31b5a087a033d73400f0ce52
                                            • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                            Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?), ref: 0041C036
                                            • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                            • lstrlenW.KERNEL32(?), ref: 0041C067
                                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                            • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                            • _wcslen.LIBCMT ref: 0041C13B
                                            • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                            • GetLastError.KERNEL32 ref: 0041C173
                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                            • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                            • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                            • GetLastError.KERNEL32 ref: 0041C1D0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                            • String ID: ?
                                            • API String ID: 3941738427-1684325040
                                            • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                            • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                            • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                            • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                            Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _strlen
                                            • String ID: %m$~$Gon~$~F@7$~dra
                                            • API String ID: 4218353326-230879103
                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                            • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                            • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                            Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$EnvironmentVariable$_wcschr
                                            • String ID:
                                            • API String ID: 3899193279-0
                                            • Opcode ID: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                            • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                            • Opcode Fuzzy Hash: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                            • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                            Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                            • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                            • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                            • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                            • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                            • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                            • API String ID: 2490988753-744132762
                                            • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                            • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                            • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                            • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                            Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                            • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseEnumOpen
                                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                            • API String ID: 1332880857-3714951968
                                            • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                            • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                            • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
                                            • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                            Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                            • GetCursorPos.USER32(?), ref: 0041D5E9
                                            • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                            • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                            • ExitProcess.KERNEL32 ref: 0041D665
                                            • CreatePopupMenu.USER32 ref: 0041D66B
                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                            • String ID: Close
                                            • API String ID: 1657328048-3535843008
                                            • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                            • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                            • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                            • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                            Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$Info
                                            • String ID:
                                            • API String ID: 2509303402-0
                                            • Opcode ID: 8630906f26d86e97c2d01feafad3d8567ddb50c678f2cb36b5e7577a775c1f69
                                            • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                            • Opcode Fuzzy Hash: 8630906f26d86e97c2d01feafad3d8567ddb50c678f2cb36b5e7577a775c1f69
                                            • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                            Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                            • __aulldiv.LIBCMT ref: 00408D4D
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                            • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                            • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                            • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                            • API String ID: 3086580692-2582957567
                                            • Opcode ID: 83544a841d733fb685d9403c845306c33a91344e28fc051850798e968e587a75
                                            • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                            • Opcode Fuzzy Hash: 83544a841d733fb685d9403c845306c33a91344e28fc051850798e968e587a75
                                            • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                            Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___free_lconv_mon.LIBCMT ref: 10007D06
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                              • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                            • _free.LIBCMT ref: 10007CFB
                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                            • _free.LIBCMT ref: 10007D1D
                                            • _free.LIBCMT ref: 10007D32
                                            • _free.LIBCMT ref: 10007D3D
                                            • _free.LIBCMT ref: 10007D5F
                                            • _free.LIBCMT ref: 10007D72
                                            • _free.LIBCMT ref: 10007D80
                                            • _free.LIBCMT ref: 10007D8B
                                            • _free.LIBCMT ref: 10007DC3
                                            • _free.LIBCMT ref: 10007DCA
                                            • _free.LIBCMT ref: 10007DE7
                                            • _free.LIBCMT ref: 10007DFF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                            • String ID:
                                            • API String ID: 161543041-0
                                            • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                            • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                            • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                            • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                            Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___free_lconv_mon.LIBCMT ref: 0045130A
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                              • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                            • _free.LIBCMT ref: 004512FF
                                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                            • _free.LIBCMT ref: 00451321
                                            • _free.LIBCMT ref: 00451336
                                            • _free.LIBCMT ref: 00451341
                                            • _free.LIBCMT ref: 00451363
                                            • _free.LIBCMT ref: 00451376
                                            • _free.LIBCMT ref: 00451384
                                            • _free.LIBCMT ref: 0045138F
                                            • _free.LIBCMT ref: 004513C7
                                            • _free.LIBCMT ref: 004513CE
                                            • _free.LIBCMT ref: 004513EB
                                            • _free.LIBCMT ref: 00451403
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                            • String ID:
                                            • API String ID: 161543041-0
                                            • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                            • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                            • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                            • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                            Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 00419FB9
                                            • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                            • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                            • GetLocalTime.KERNEL32(?), ref: 0041A105
                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                            • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                            • API String ID: 489098229-1431523004
                                            • Opcode ID: 8e408b2f37b5a40c6075e10aa462efa04368c9b3309c0ae95edff302c11cc8c3
                                            • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                            • Opcode Fuzzy Hash: 8e408b2f37b5a40c6075e10aa462efa04368c9b3309c0ae95edff302c11cc8c3
                                            • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                            Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                              • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                              • Part of subcall function 004136F8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                              • Part of subcall function 004136F8: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                              • Part of subcall function 004136F8: RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                            • ExitProcess.KERNEL32 ref: 0040D9C4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                            • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                            • API String ID: 1913171305-3159800282
                                            • Opcode ID: 8ebae07e8f6c8f74514d1fd5372f7af3bc825de0b8ae22118dbe10495fe42a9d
                                            • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                            • Opcode Fuzzy Hash: 8ebae07e8f6c8f74514d1fd5372f7af3bc825de0b8ae22118dbe10495fe42a9d
                                            • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                            Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free
                                            • String ID:
                                            • API String ID: 269201875-0
                                            • Opcode ID: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                            • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                            • Opcode Fuzzy Hash: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                            • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                            Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                            • GetLastError.KERNEL32 ref: 00455CEF
                                            • __dosmaperr.LIBCMT ref: 00455CF6
                                            • GetFileType.KERNEL32(00000000), ref: 00455D02
                                            • GetLastError.KERNEL32 ref: 00455D0C
                                            • __dosmaperr.LIBCMT ref: 00455D15
                                            • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                            • CloseHandle.KERNEL32(?), ref: 00455E7F
                                            • GetLastError.KERNEL32 ref: 00455EB1
                                            • __dosmaperr.LIBCMT ref: 00455EB8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                            • String ID: H
                                            • API String ID: 4237864984-2852464175
                                            • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                            • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                            • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                            • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                            Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                            • __alloca_probe_16.LIBCMT ref: 00453EEA
                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                            • __alloca_probe_16.LIBCMT ref: 00453F94
                                            • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                            • __freea.LIBCMT ref: 00454003
                                            • __freea.LIBCMT ref: 0045400F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                            • String ID: \@E
                                            • API String ID: 201697637-1814623452
                                            • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                            • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                            • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                            • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                            Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free
                                            • String ID: \&G$\&G$`&G
                                            • API String ID: 269201875-253610517
                                            • Opcode ID: f843711e33ddf2e4d4c3baca2ca6b2426e0ab7997c39caf6bf5fac4d84d12184
                                            • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                            • Opcode Fuzzy Hash: f843711e33ddf2e4d4c3baca2ca6b2426e0ab7997c39caf6bf5fac4d84d12184
                                            • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                            Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: 65535$udp
                                            • API String ID: 0-1267037602
                                            • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                            • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                            • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                            • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                            Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                            • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                            • __dosmaperr.LIBCMT ref: 0043A8A6
                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                            • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                            • __dosmaperr.LIBCMT ref: 0043A8E3
                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                            • __dosmaperr.LIBCMT ref: 0043A937
                                            • _free.LIBCMT ref: 0043A943
                                            • _free.LIBCMT ref: 0043A94A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                            • String ID:
                                            • API String ID: 2441525078-0
                                            • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                            • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                            • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                            • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                            Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetEvent.KERNEL32(?,?), ref: 004054BF
                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                            • TranslateMessage.USER32(?), ref: 0040557E
                                            • DispatchMessageA.USER32(?), ref: 00405589
                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                            • API String ID: 2956720200-749203953
                                            • Opcode ID: 9d39b559347b55e8c8e8a84f4443f67c4d3acb4c84b22e38f0548149d05e883c
                                            • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                            • Opcode Fuzzy Hash: 9d39b559347b55e8c8e8a84f4443f67c4d3acb4c84b22e38f0548149d05e883c
                                            • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                            Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                            • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                            • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                            • String ID: 0VG$0VG$<$@$Temp
                                            • API String ID: 1704390241-2575729100
                                            • Opcode ID: 62621946d8eb1aa2ce2b39a4af5520ae479f7c91f66b5ded83c662c0635c4b6b
                                            • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                            • Opcode Fuzzy Hash: 62621946d8eb1aa2ce2b39a4af5520ae479f7c91f66b5ded83c662c0635c4b6b
                                            • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                            Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenClipboard.USER32 ref: 00416941
                                            • EmptyClipboard.USER32 ref: 0041694F
                                            • CloseClipboard.USER32 ref: 00416955
                                            • OpenClipboard.USER32 ref: 0041695C
                                            • GetClipboardData.USER32(0000000D), ref: 0041696C
                                            • GlobalLock.KERNEL32(00000000), ref: 00416975
                                            • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                            • CloseClipboard.USER32 ref: 00416984
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                            • String ID: !D@
                                            • API String ID: 2172192267-604454484
                                            • Opcode ID: 379e7e26ad6a900c3167f358ae85a18f925cef018a940f3467d8a5dc77bbddf2
                                            • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                            • Opcode Fuzzy Hash: 379e7e26ad6a900c3167f358ae85a18f925cef018a940f3467d8a5dc77bbddf2
                                            • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                            Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Service$CloseHandle$Open$ControlManager
                                            • String ID:
                                            • API String ID: 221034970-0
                                            • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                            • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                            • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
                                            • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                            Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 100059EA
                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                            • _free.LIBCMT ref: 100059F6
                                            • _free.LIBCMT ref: 10005A01
                                            • _free.LIBCMT ref: 10005A0C
                                            • _free.LIBCMT ref: 10005A17
                                            • _free.LIBCMT ref: 10005A22
                                            • _free.LIBCMT ref: 10005A2D
                                            • _free.LIBCMT ref: 10005A38
                                            • _free.LIBCMT ref: 10005A43
                                            • _free.LIBCMT ref: 10005A51
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                            • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                            • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                            • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                            Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00448135
                                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                            • _free.LIBCMT ref: 00448141
                                            • _free.LIBCMT ref: 0044814C
                                            • _free.LIBCMT ref: 00448157
                                            • _free.LIBCMT ref: 00448162
                                            • _free.LIBCMT ref: 0044816D
                                            • _free.LIBCMT ref: 00448178
                                            • _free.LIBCMT ref: 00448183
                                            • _free.LIBCMT ref: 0044818E
                                            • _free.LIBCMT ref: 0044819C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                            • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                            • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                            • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                            Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Eventinet_ntoa
                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                            • API String ID: 3578746661-3604713145
                                            • Opcode ID: 50d9e231414fe59f6a3f8cfe8605fb83e7bf3d01780d01d3216dfe9026caa334
                                            • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                            • Opcode Fuzzy Hash: 50d9e231414fe59f6a3f8cfe8605fb83e7bf3d01780d01d3216dfe9026caa334
                                            • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                            Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DecodePointer
                                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                                            • API String ID: 3527080286-3064271455
                                            • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                            • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                            • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                            • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                            Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                              • Part of subcall function 0041C485: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                            • Sleep.KERNEL32(00000064), ref: 00417521
                                            • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CreateDeleteExecuteShellSleep
                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                            • API String ID: 1462127192-2001430897
                                            • Opcode ID: bc4a8cc1da8bcd1fbb1098bf44f3330bcd726af2473b0b9f51270304d493b268
                                            • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                            • Opcode Fuzzy Hash: bc4a8cc1da8bcd1fbb1098bf44f3330bcd726af2473b0b9f51270304d493b268
                                            • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                            Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                            • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 0040749E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                            • API String ID: 2050909247-4242073005
                                            • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                            • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                            • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                            • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                            Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            • _strftime.LIBCMT ref: 00401D50
                                              • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                            • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                            • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                            • API String ID: 3809562944-243156785
                                            • Opcode ID: ad8ba90a2921d66a3c12ccf8c1a2d8e4c0e0e91c69b7ff21a65ebece821e0ee7
                                            • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                            • Opcode Fuzzy Hash: ad8ba90a2921d66a3c12ccf8c1a2d8e4c0e0e91c69b7ff21a65ebece821e0ee7
                                            • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                            Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                            • int.LIBCPMT ref: 00410E81
                                              • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                              • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                            • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                            • __Init_thread_footer.LIBCMT ref: 00410F29
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                            • String ID: ,kG$0kG
                                            • API String ID: 3815856325-2015055088
                                            • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                            • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                            • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
                                            • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                            Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                            • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                            • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                            • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                            • waveInStart.WINMM ref: 00401CFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                            • String ID: dMG$|MG$PG
                                            • API String ID: 1356121797-532278878
                                            • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                            • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                            • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
                                            • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                            Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                              • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                              • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                              • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                            • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                            • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                            • TranslateMessage.USER32(?), ref: 0041D4E9
                                            • DispatchMessageA.USER32(?), ref: 0041D4F3
                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                            • String ID: Remcos
                                            • API String ID: 1970332568-165870891
                                            • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                            • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                            • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                            • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                            Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                            • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                            • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                            • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                            Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                            • String ID:
                                            • API String ID: 1454806937-0
                                            • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                            • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                            • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                            • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                            Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                              • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                              • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                              • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                            • _memcmp.LIBVCRUNTIME ref: 00445423
                                            • _free.LIBCMT ref: 00445494
                                            • _free.LIBCMT ref: 004454AD
                                            • _free.LIBCMT ref: 004454DF
                                            • _free.LIBCMT ref: 004454E8
                                            • _free.LIBCMT ref: 004454F4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$ErrorLast$_abort_memcmp
                                            • String ID: C
                                            • API String ID: 1679612858-1037565863
                                            • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                            • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                            • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                            • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                            Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: tcp$udp
                                            • API String ID: 0-3725065008
                                            • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                            • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                            • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                            • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                            Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • __Init_thread_footer.LIBCMT ref: 004018BE
                                            • ExitThread.KERNEL32 ref: 004018F6
                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                            • String ID: PkG$XMG$NG$NG
                                            • API String ID: 1649129571-3151166067
                                            • Opcode ID: 856b2a5f3568ea0699b2e44769f1b54aa8307209e3fc8d56d276bdd61831f207
                                            • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                            • Opcode Fuzzy Hash: 856b2a5f3568ea0699b2e44769f1b54aa8307209e3fc8d56d276bdd61831f207
                                            • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                            Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                            • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                              • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                              • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                            • String ID: .part
                                            • API String ID: 1303771098-3499674018
                                            • Opcode ID: d230553aec7110adf4e51ba4941b1d94ecbe35f1f5eea66a9c4207c894b51e14
                                            • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                            • Opcode Fuzzy Hash: d230553aec7110adf4e51ba4941b1d94ecbe35f1f5eea66a9c4207c894b51e14
                                            • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                            Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                            • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                            • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Console$Window$AllocOutputShow
                                            • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                            • API String ID: 4067487056-3065609815
                                            • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                            • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                            • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                            • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                            Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                            • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                            • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                            • __freea.LIBCMT ref: 0044AE30
                                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                            • __freea.LIBCMT ref: 0044AE39
                                            • __freea.LIBCMT ref: 0044AE5E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                            • String ID:
                                            • API String ID: 3864826663-0
                                            • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                            • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                            • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                            • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                            Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                            • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InputSend
                                            • String ID:
                                            • API String ID: 3431551938-0
                                            • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                            • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                            • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                            • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                            Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __freea$__alloca_probe_16_free
                                            • String ID: a/p$am/pm$zD
                                            • API String ID: 2936374016-2723203690
                                            • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                            • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                            • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                            • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                            Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                            • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Enum$InfoQueryValue
                                            • String ID: [regsplt]$xUG$TG
                                            • API String ID: 3554306468-1165877943
                                            • Opcode ID: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
                                            • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                            • Opcode Fuzzy Hash: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
                                            • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                            Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                            • __fassign.LIBCMT ref: 1000954F
                                            • __fassign.LIBCMT ref: 1000956A
                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                            • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                            • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                            • String ID:
                                            • API String ID: 1324828854-0
                                            • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                            • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                            • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                            • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                            Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                            • __fassign.LIBCMT ref: 0044B479
                                            • __fassign.LIBCMT ref: 0044B494
                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                            • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                                            • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                            • String ID:
                                            • API String ID: 1324828854-0
                                            • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                            • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                            • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                            • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                            Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free
                                            • String ID: D[E$D[E
                                            • API String ID: 269201875-3695742444
                                            • Opcode ID: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                                            • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                            • Opcode Fuzzy Hash: bc4a191701c62eeb9847f09c94d148ade9b95fc5d58c951cd89fb7ba37de2388
                                            • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                            Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                              • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                              • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseEnumInfoOpenQuerysend
                                            • String ID: xUG$NG$NG$TG
                                            • API String ID: 3114080316-2811732169
                                            • Opcode ID: 6c4551c0fef6ea8a62e0362b81dd69ab0e8a90bfa27d8b291aed53c83e443e60
                                            • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                            • Opcode Fuzzy Hash: 6c4551c0fef6ea8a62e0362b81dd69ab0e8a90bfa27d8b291aed53c83e443e60
                                            • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                            Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                            Download Yara Rule
                                            APIs
                                            • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                            • _ValidateLocalCookies.LIBCMT ref: 10003431
                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                            • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 1170836740-1018135373
                                            • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                            • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                            • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                            • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                            Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                              • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                              • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                              • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                            • _wcslen.LIBCMT ref: 0041B763
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                            • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                            • API String ID: 3286818993-122982132
                                            • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                            • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                            • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
                                            • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                            Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                              • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                              • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                            • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                            • API String ID: 1133728706-4073444585
                                            • Opcode ID: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
                                            • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                            • Opcode Fuzzy Hash: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
                                            • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                            Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                            • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                            • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                            • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                            Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                            • _free.LIBCMT ref: 100092AB
                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                            • _free.LIBCMT ref: 100092B6
                                            • _free.LIBCMT ref: 100092C1
                                            • _free.LIBCMT ref: 10009315
                                            • _free.LIBCMT ref: 10009320
                                            • _free.LIBCMT ref: 1000932B
                                            • _free.LIBCMT ref: 10009336
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                            • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                            • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                            Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                            • _free.LIBCMT ref: 00450F48
                                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                            • _free.LIBCMT ref: 00450F53
                                            • _free.LIBCMT ref: 00450F5E
                                            • _free.LIBCMT ref: 00450FB2
                                            • _free.LIBCMT ref: 00450FBD
                                            • _free.LIBCMT ref: 00450FC8
                                            • _free.LIBCMT ref: 00450FD3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                            • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                            • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                            • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                            Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                            • int.LIBCPMT ref: 00411183
                                              • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                              • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                            • std::_Facet_Register.LIBCPMT ref: 004111C3
                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                            • String ID: (mG
                                            • API String ID: 2536120697-4059303827
                                            • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                            • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                            • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                            • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                            Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                            • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLastValue___vcrt_
                                            • String ID:
                                            • API String ID: 3852720340-0
                                            • Opcode ID: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                            • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                            • Opcode Fuzzy Hash: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                            • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                            Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe), ref: 004075D0
                                              • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                              • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                            • CoUninitialize.OLE32 ref: 00407629
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: InitializeObjectUninitialize_wcslen
                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                            • API String ID: 3851391207-3324213274
                                            • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                            • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                            • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                            • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                            Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                            • GetLastError.KERNEL32 ref: 0040BAE7
                                            Strings
                                            • UserProfile, xrefs: 0040BAAD
                                            • [Chrome Cookies not found], xrefs: 0040BB01
                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                            • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DeleteErrorFileLast
                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                            • API String ID: 2018770650-304995407
                                            • Opcode ID: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
                                            • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                            • Opcode Fuzzy Hash: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
                                            • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                            Function 0041ADC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                            • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                            • Sleep.KERNEL32(00002710), ref: 0041AE07
                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                            • String ID: Alarm triggered$`#v
                                            • API String ID: 614609389-3049340936
                                            • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                            • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                            • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
                                            • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                            Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            • __allrem.LIBCMT ref: 0043AC69
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                            • __allrem.LIBCMT ref: 0043AC9C
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                            • __allrem.LIBCMT ref: 0043ACD1
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                            • String ID:
                                            • API String ID: 1992179935-0
                                            • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                            • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                            • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                            • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                            Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                            • __freea.LIBCMT ref: 10008A08
                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                            • __freea.LIBCMT ref: 10008A11
                                            • __freea.LIBCMT ref: 10008A36
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                            • String ID:
                                            • API String ID: 1414292761-0
                                            • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                            • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                            • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                            • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                            Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                              • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: H_prologSleep
                                            • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                            • API String ID: 3469354165-3054508432
                                            • Opcode ID: 6dbe7930c94cb224acd450be8b9a10e1c7219b7f6c62ae5975bfcacab2dbeae6
                                            • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                            • Opcode Fuzzy Hash: 6dbe7930c94cb224acd450be8b9a10e1c7219b7f6c62ae5975bfcacab2dbeae6
                                            • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                            Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __cftoe
                                            • String ID:
                                            • API String ID: 4189289331-0
                                            • Opcode ID: f6186a22dc1495ee10cb0196102dbbca6683bf9def1bac59c87bc21f53538327
                                            • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                            • Opcode Fuzzy Hash: f6186a22dc1495ee10cb0196102dbbca6683bf9def1bac59c87bc21f53538327
                                            • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                            Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _strlen.LIBCMT ref: 10001607
                                            • _strcat.LIBCMT ref: 1000161D
                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                            • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                            • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                            • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                            • String ID:
                                            • API String ID: 1922816806-0
                                            • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                            • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                            • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                            • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                            Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrcatW.KERNEL32(?,?), ref: 10001038
                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: lstrlen$AttributesFilelstrcat
                                            • String ID:
                                            • API String ID: 3594823470-0
                                            • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                            • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                            • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                            • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                            Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                            • String ID:
                                            • API String ID: 493672254-0
                                            • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                            • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                            • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
                                            • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                            Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                            • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ErrorLastValue___vcrt_
                                            • String ID:
                                            • API String ID: 3852720340-0
                                            • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                            • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                            • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                            • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                            Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                            • _free.LIBCMT ref: 10005B2D
                                            • _free.LIBCMT ref: 10005B55
                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                            • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                            • _abort.LIBCMT ref: 10005B74
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_free$_abort
                                            • String ID:
                                            • API String ID: 3160817290-0
                                            • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                            • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                            • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                            • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                            Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                            • _free.LIBCMT ref: 0044824C
                                            • _free.LIBCMT ref: 00448274
                                            • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                            • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                            • _abort.LIBCMT ref: 00448293
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$_free$_abort
                                            • String ID:
                                            • API String ID: 3160817290-0
                                            • Opcode ID: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                            • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                            • Opcode Fuzzy Hash: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                            • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                            Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Service$CloseHandle$Open$ControlManager
                                            • String ID:
                                            • API String ID: 221034970-0
                                            • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                            • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                            • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
                                            • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                            Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Service$CloseHandle$Open$ControlManager
                                            • String ID:
                                            • API String ID: 221034970-0
                                            • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                            • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                            • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
                                            • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                            Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Service$CloseHandle$Open$ControlManager
                                            • String ID:
                                            • API String ID: 221034970-0
                                            • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                            • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                            • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
                                            • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                            Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                              • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                              • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                              • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                            • API String ID: 4036392271-1520055953
                                            • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                            • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                            • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                            • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                            Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                            • GetLastError.KERNEL32 ref: 0041D580
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ClassCreateErrorLastRegisterWindow
                                            • String ID: 0$MsgWindowClass
                                            • API String ID: 2877667751-2410386613
                                            • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                            • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                            • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                            • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                            Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                            • CloseHandle.KERNEL32(?), ref: 004077AA
                                            • CloseHandle.KERNEL32(?), ref: 004077AF
                                            Strings
                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                            • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseHandle$CreateProcess
                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                            • API String ID: 2922976086-4183131282
                                            • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                            • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                            • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                            • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                            Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                            Download Yara Rule
                                            Strings
                                            • Rmc-SJ9MVF, xrefs: 004076DA
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, xrefs: 004076C4
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$Rmc-SJ9MVF
                                            • API String ID: 0-425797454
                                            • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                            • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                            • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
                                            • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                            Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                            • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                            • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                            • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                            • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                            Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                            • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressFreeHandleLibraryModuleProc
                                            • String ID: CorExitProcess$mscoree.dll
                                            • API String ID: 4061214504-1276376045
                                            • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                            • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                            • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                            • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                            Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                            • String ID: KeepAlive | Disabled
                                            • API String ID: 2993684571-305739064
                                            • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                            • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                            • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
                                            • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                            Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                            Strings
                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                            • API String ID: 3024135584-2418719853
                                            • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                            • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                            • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                            • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                            Function 0040140A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                            • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: GetCursorInfo$User32.dll$`#v
                                            • API String ID: 1646373207-1032071883
                                            • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                            • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                            • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                            • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                            Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                            • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                            • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                            • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                            Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                            • _free.LIBCMT ref: 00444E06
                                            • _free.LIBCMT ref: 00444E1D
                                            • _free.LIBCMT ref: 00444E3C
                                            • _free.LIBCMT ref: 00444E57
                                            • _free.LIBCMT ref: 00444E6E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$AllocateHeap
                                            • String ID:
                                            • API String ID: 3033488037-0
                                            • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                            • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                            • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                            • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                            Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                            • _free.LIBCMT ref: 004493BD
                                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                            • _free.LIBCMT ref: 00449589
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                            • String ID:
                                            • API String ID: 1286116820-0
                                            • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                            • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                            • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                            • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                            Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                              • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                            • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                              • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                              • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                              • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 2180151492-0
                                            • Opcode ID: 8b8cdfc602dbd14a3ce60d1437fbf9c616907d32c1791499aac7107a218dc19c
                                            • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                            • Opcode Fuzzy Hash: 8b8cdfc602dbd14a3ce60d1437fbf9c616907d32c1791499aac7107a218dc19c
                                            • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                            Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free
                                            • String ID:
                                            • API String ID: 269201875-0
                                            • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                            • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                            • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                            • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                            Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                            • __alloca_probe_16.LIBCMT ref: 004511B1
                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                            • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                            • __freea.LIBCMT ref: 0045121D
                                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                            • String ID:
                                            • API String ID: 313313983-0
                                            • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                            • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                            • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                            • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                            Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                            • _free.LIBCMT ref: 100071B8
                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                            • String ID:
                                            • API String ID: 336800556-0
                                            • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                            • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                            • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                            • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                            Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                              • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                            • _free.LIBCMT ref: 0044F3BF
                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                            • String ID:
                                            • API String ID: 336800556-0
                                            • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                            • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                            • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                            • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                            Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                            • _free.LIBCMT ref: 10005BB4
                                            • _free.LIBCMT ref: 10005BDB
                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_free
                                            • String ID:
                                            • API String ID: 3170660625-0
                                            • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                            • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                            • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                            • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                            Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                            • _free.LIBCMT ref: 004482D3
                                            • _free.LIBCMT ref: 004482FA
                                            • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                            • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$_free
                                            • String ID:
                                            • API String ID: 3170660625-0
                                            • Opcode ID: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                            • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                            • Opcode Fuzzy Hash: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                            • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                            Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                            • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CloseHandleOpen$FileImageName
                                            • String ID:
                                            • API String ID: 2951400881-0
                                            • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                            • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                            • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                            • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                            Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                            • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                            • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                            • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: lstrlen$lstrcat
                                            • String ID:
                                            • API String ID: 493641738-0
                                            • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                            • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                            • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                            • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                            Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 100091D0
                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                            • _free.LIBCMT ref: 100091E2
                                            • _free.LIBCMT ref: 100091F4
                                            • _free.LIBCMT ref: 10009206
                                            • _free.LIBCMT ref: 10009218
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                            • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                            • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                            • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                            Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 004509D4
                                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                            • _free.LIBCMT ref: 004509E6
                                            • _free.LIBCMT ref: 004509F8
                                            • _free.LIBCMT ref: 00450A0A
                                            • _free.LIBCMT ref: 00450A1C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                            • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                            • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                            • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                            Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 1000536F
                                              • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                              • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                            • _free.LIBCMT ref: 10005381
                                            • _free.LIBCMT ref: 10005394
                                            • _free.LIBCMT ref: 100053A5
                                            • _free.LIBCMT ref: 100053B6
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                            • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                            • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                            • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                            Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 00444066
                                              • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                              • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                            • _free.LIBCMT ref: 00444078
                                            • _free.LIBCMT ref: 0044408B
                                            • _free.LIBCMT ref: 0044409C
                                            • _free.LIBCMT ref: 004440AD
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$ErrorFreeHeapLast
                                            • String ID:
                                            • API String ID: 776569668-0
                                            • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                            • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                            • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                            • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                            Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                            Download Yara Rule
                                            APIs
                                            • _strpbrk.LIBCMT ref: 0044E738
                                            • _free.LIBCMT ref: 0044E855
                                              • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                              • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                              • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                            • String ID: *?$.
                                            • API String ID: 2812119850-3972193922
                                            • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                            • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                            • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                            • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                            Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                              • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,01099ED0,00000010), ref: 004048E0
                                              • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                              • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFileKeyboardLayoutNameconnectsend
                                            • String ID: XQG$NG$PG
                                            • API String ID: 1634807452-3565412412
                                            • Opcode ID: 088076c525a7ba9bbf1c882158874681771abc0c272c9025060a35700cc2cdc5
                                            • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                            • Opcode Fuzzy Hash: 088076c525a7ba9bbf1c882158874681771abc0c272c9025060a35700cc2cdc5
                                            • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                            Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: `#D$`#D
                                            • API String ID: 885266447-2450397995
                                            • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                            • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                            • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                            • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                            Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 10004C1D
                                            • _free.LIBCMT ref: 10004CE8
                                            • _free.LIBCMT ref: 10004CF2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _free$FileModuleName
                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            • API String ID: 2506810119-760905667
                                            • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                            • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                            • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                            • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                            Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe,00000104), ref: 00443475
                                            • _free.LIBCMT ref: 00443540
                                            • _free.LIBCMT ref: 0044354A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _free$FileModuleName
                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                            • API String ID: 2506810119-760905667
                                            • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                            • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                            • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                            • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                            Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                              • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                              • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                              • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                              • Part of subcall function 0041C485: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                            • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                            • String ID: /sort "Visit Time" /stext "$0NG
                                            • API String ID: 368326130-3219657780
                                            • Opcode ID: 44602993bd37dcb0b46df03d8f32aef03929348bb3827289624895e7cc1e30d3
                                            • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                            • Opcode Fuzzy Hash: 44602993bd37dcb0b46df03d8f32aef03929348bb3827289624895e7cc1e30d3
                                            • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                            Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • _wcslen.LIBCMT ref: 004162F5
                                              • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                              • Part of subcall function 00413877: RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                              • Part of subcall function 00413877: RegCloseKey.KERNELBASE(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                              • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _wcslen$CloseCreateValue
                                            • String ID: !D@$okmode$PG
                                            • API String ID: 3411444782-3370592832
                                            • Opcode ID: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
                                            • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                            • Opcode Fuzzy Hash: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
                                            • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                            Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                            Strings
                                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                            • User Data\Default\Network\Cookies, xrefs: 0040C603
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExistsFilePath
                                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                            • API String ID: 1174141254-1980882731
                                            • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                            • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                            • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
                                            • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                            Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                            • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                            Strings
                                            • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                            • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExistsFilePath
                                            • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                            • API String ID: 1174141254-1980882731
                                            • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                            • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                            • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
                                            • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                            Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                            • wsprintfW.USER32 ref: 0040B1F3
                                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: EventLocalTimewsprintf
                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                            • API String ID: 1497725170-1359877963
                                            • Opcode ID: 4b61bdf1e4649f408c1e010907dbc1ed31b9c64e2b29a313bfb4962842f39c84
                                            • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                            • Opcode Fuzzy Hash: 4b61bdf1e4649f408c1e010907dbc1ed31b9c64e2b29a313bfb4962842f39c84
                                            • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                            Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                            • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                            • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread$LocalTime$wsprintf
                                            • String ID: Online Keylogger Started
                                            • API String ID: 112202259-1258561607
                                            • Opcode ID: 479f868247490eb8d94e44a3ac1295fc2cb218e13a7b72eda2db3aeddef0bb4d
                                            • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                            • Opcode Fuzzy Hash: 479f868247490eb8d94e44a3ac1295fc2cb218e13a7b72eda2db3aeddef0bb4d
                                            • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                            Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                            • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: CryptUnprotectData$crypt32
                                            • API String ID: 2574300362-2380590389
                                            • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                            • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                            • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                            • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                            Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                            • CloseHandle.KERNEL32(?), ref: 004051CA
                                            • SetEvent.KERNEL32(?), ref: 004051D9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseEventHandleObjectSingleWait
                                            • String ID: Connection Timeout
                                            • API String ID: 2055531096-499159329
                                            • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                            • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                            • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
                                            • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                            Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Exception@8Throw
                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                            • API String ID: 2005118841-1866435925
                                            • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                            • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                            • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                            • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                            Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                                            • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                                            • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CloseCreateValue
                                            • String ID: pth_unenc
                                            • API String ID: 1818849710-4028850238
                                            • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                            • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                            • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
                                            • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                            Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                              • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                              • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                            • String ID: bad locale name
                                            • API String ID: 3628047217-1405518554
                                            • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                            • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                            • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                            • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                            Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                            • ShowWindow.USER32(00000009), ref: 00416C61
                                            • SetForegroundWindow.USER32 ref: 00416C6D
                                              • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                              • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                              • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                              • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                            • String ID: !D@
                                            • API String ID: 186401046-604454484
                                            • Opcode ID: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
                                            • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                            • Opcode Fuzzy Hash: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
                                            • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                            Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExecuteShell
                                            • String ID: /C $cmd.exe$open
                                            • API String ID: 587946157-3896048727
                                            • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                            • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                            • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
                                            • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                            Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                                            • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                            • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: TerminateThread$HookUnhookWindows
                                            • String ID: pth_unenc
                                            • API String ID: 3123878439-4028850238
                                            • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                            • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                            • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                            • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                            Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                            • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressLibraryLoadProc
                                            • String ID: GetLastInputInfo$User32.dll
                                            • API String ID: 2574300362-1519888992
                                            • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                            • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                            • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                            • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                            Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __alldvrm$_strrchr
                                            • String ID:
                                            • API String ID: 1036877536-0
                                            • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                            • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                            • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                            • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                            Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                            • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                            • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                            • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                            Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                            • __freea.LIBCMT ref: 100087D5
                                              • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                            • String ID:
                                            • API String ID: 2652629310-0
                                            • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                            • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                            • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                            • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                            Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                            • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                            • API String ID: 3472027048-1236744412
                                            • Opcode ID: a2f891f9d224728c04bbb1debadef956fab89d0381d541b8d2862f798e9015da
                                            • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                            • Opcode Fuzzy Hash: a2f891f9d224728c04bbb1debadef956fab89d0381d541b8d2862f798e9015da
                                            • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                            Function 004194C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumDisplayMonitors.USER32(00000000,00000000,004195CF,00000000), ref: 004194F5
                                            • EnumDisplayDevicesW.USER32(?), ref: 00419525
                                            • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 0041959A
                                            • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195B7
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DisplayEnum$Devices$Monitors
                                            • String ID:
                                            • API String ID: 1432082543-0
                                            • Opcode ID: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
                                            • Instruction ID: 9f89b1fc864c89aa53311e19646eec67f909338e1adf78e73a6452d568b12732
                                            • Opcode Fuzzy Hash: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
                                            • Instruction Fuzzy Hash: 6F218072108314ABD221DF26DC49EABBBECEBD1764F00053FF459D3190EB749A49C66A
                                            Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                              • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                              • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                            • Sleep.KERNEL32(000001F4), ref: 0040A573
                                            • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Window$SleepText$ForegroundLength
                                            • String ID: [ $ ]
                                            • API String ID: 3309952895-93608704
                                            • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                            • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                            • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                            • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                            Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: SystemTimes$Sleep__aulldiv
                                            • String ID:
                                            • API String ID: 188215759-0
                                            • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                            • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                            • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                            • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                            Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                            • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                            • Opcode Fuzzy Hash: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                            • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                            Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                            • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                            • Opcode Fuzzy Hash: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                            • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                            Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                            • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: LibraryLoad$ErrorLast
                                            • String ID:
                                            • API String ID: 3177248105-0
                                            • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                            • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                            • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                            • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                            Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                            • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LibraryLoad$ErrorLast
                                            • String ID:
                                            • API String ID: 3177248105-0
                                            • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                            • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                            • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                            • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                            Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                              • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                            • _UnwindNestedFrames.LIBCMT ref: 00439891
                                            • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                            • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                            • String ID:
                                            • API String ID: 2633735394-0
                                            • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                            • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                            • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                            • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                            Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                            • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                            • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                            • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MetricsSystem
                                            • String ID:
                                            • API String ID: 4116985748-0
                                            • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                            • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                            • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                            • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                            Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                            • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                              • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                            • String ID:
                                            • API String ID: 1761009282-0
                                            • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                            • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                            • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                            • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                            Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                            Download Yara Rule
                                            APIs
                                            • _free.LIBCMT ref: 1000655C
                                              • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                              • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                              • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                            • String ID: *?$.
                                            • API String ID: 2667617558-3972193922
                                            • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                            • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                            • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                            • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                            Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                            Download Yara Rule
                                            APIs
                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                              • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                            • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                              • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                              • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                            • String ID: image/jpeg
                                            • API String ID: 1291196975-3785015651
                                            • Opcode ID: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
                                            • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                            • Opcode Fuzzy Hash: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
                                            • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                            Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                            • __Init_thread_footer.LIBCMT ref: 0040B797
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Init_thread_footer__onexit
                                            • String ID: [End of clipboard]$[Text copied to clipboard]
                                            • API String ID: 1881088180-3686566968
                                            • Opcode ID: b75b6418a390f749317f2ab44173591ff602460dbf5675c7faf818e64fc176e3
                                            • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                            • Opcode Fuzzy Hash: b75b6418a390f749317f2ab44173591ff602460dbf5675c7faf818e64fc176e3
                                            • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                            Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ACP$OCP
                                            • API String ID: 0-711371036
                                            • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                            • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                            • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                            • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                            Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                              • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                              • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                              • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                            • String ID: image/png
                                            • API String ID: 1291196975-2966254431
                                            • Opcode ID: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
                                            • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                            • Opcode Fuzzy Hash: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
                                            • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                            Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                            Strings
                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LocalTime
                                            • String ID: KeepAlive | Enabled | Timeout:
                                            • API String ID: 481472006-1507639952
                                            • Opcode ID: 5b49fe7ebc3dd67cdf94e38743eb20928709a3ec39b389cca4b516c591649347
                                            • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                            • Opcode Fuzzy Hash: 5b49fe7ebc3dd67cdf94e38743eb20928709a3ec39b389cca4b516c591649347
                                            • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                            Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32 ref: 00416640
                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DownloadFileSleep
                                            • String ID: !D@
                                            • API String ID: 1931167962-604454484
                                            • Opcode ID: e2f37744b7fb9eb9058f71ff0aa918298059d13fe50ac3369e39da324d73493c
                                            • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                            • Opcode Fuzzy Hash: e2f37744b7fb9eb9058f71ff0aa918298059d13fe50ac3369e39da324d73493c
                                            • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                            Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _strlen
                                            • String ID: : $Se.
                                            • API String ID: 4218353326-4089948878
                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                            • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                            • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                            Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LocalTime
                                            • String ID: | $%02i:%02i:%02i:%03i
                                            • API String ID: 481472006-2430845779
                                            • Opcode ID: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
                                            • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                            • Opcode Fuzzy Hash: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
                                            • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                            Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExistsFilePath
                                            • String ID: alarm.wav$hYG
                                            • API String ID: 1174141254-2782910960
                                            • Opcode ID: 927e0edff403eebb4f9eff2a49ef343572b544c1c63ef3d24774cae310748075
                                            • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                            • Opcode Fuzzy Hash: 927e0edff403eebb4f9eff2a49ef343572b544c1c63ef3d24774cae310748075
                                            • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                            Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                              • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                              • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                            • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                            • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                            • String ID: Online Keylogger Stopped
                                            • API String ID: 1623830855-1496645233
                                            • Opcode ID: 086a3c4929947be54678252dfea77875741b8c789e716d5a77e1f3bca4bdded6
                                            • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                            • Opcode Fuzzy Hash: 086a3c4929947be54678252dfea77875741b8c789e716d5a77e1f3bca4bdded6
                                            • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                            Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                              • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4546472610.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                            • Associated: 00000004.00000002.4546452225.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4546472610.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_10000000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$ExceptionRaise
                                            • String ID: Unknown exception
                                            • API String ID: 3476068407-410509341
                                            • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                            • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                            • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                            • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                            Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • waveInPrepareHeader.WINMM(01086820,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                            • waveInAddBuffer.WINMM(01086820,00000020,?,00000000,00401A15), ref: 0040185F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: wave$BufferHeaderPrepare
                                            • String ID: XMG
                                            • API String ID: 2315374483-813777761
                                            • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                            • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                            • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
                                            • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                            Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LocaleValid
                                            • String ID: IsValidLocaleName$JD
                                            • API String ID: 1901932003-2234456777
                                            • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                            • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                            • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                            • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                            Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExistsFilePath
                                            • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                            • API String ID: 1174141254-4188645398
                                            • Opcode ID: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                            • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                            • Opcode Fuzzy Hash: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
                                            • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                            Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExistsFilePath
                                            • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                            • API String ID: 1174141254-2800177040
                                            • Opcode ID: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                            • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                            • Opcode Fuzzy Hash: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
                                            • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                            Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExistsFilePath
                                            • String ID: AppData$\Opera Software\Opera Stable\
                                            • API String ID: 1174141254-1629609700
                                            • Opcode ID: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                            • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                            • Opcode Fuzzy Hash: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
                                            • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                            Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyState.USER32(00000011), ref: 0040B64B
                                              • Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                              • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                              • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                              • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                              • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                              • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                                              • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                              • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                            • String ID: [AltL]$[AltR]
                                            • API String ID: 2738857842-2658077756
                                            • Opcode ID: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                                            • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                            • Opcode Fuzzy Hash: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
                                            • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                            Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                            • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: uD
                                            • API String ID: 0-2547262877
                                            • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                            • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                            • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                            • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                            Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExecuteShell
                                            • String ID: !D@$open
                                            • API String ID: 587946157-1586967515
                                            • Opcode ID: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
                                            • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                            • Opcode Fuzzy Hash: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
                                            • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                            Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetKeyState.USER32(00000012), ref: 0040B6A5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: State
                                            • String ID: [CtrlL]$[CtrlR]
                                            • API String ID: 1649606143-2446555240
                                            • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                            • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                            • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
                                            • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                            Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                            • __Init_thread_footer.LIBCMT ref: 00410F29
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Init_thread_footer__onexit
                                            • String ID: ,kG$0kG
                                            • API String ID: 1881088180-2015055088
                                            • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                            • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                            • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
                                            • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                            Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                                            Strings
                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DeleteOpenValue
                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                            • API String ID: 2654517830-1051519024
                                            • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                            • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                            • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                            • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                            Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: DeleteDirectoryFileRemove
                                            • String ID: pth_unenc
                                            • API String ID: 3325800564-4028850238
                                            • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                            • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                            • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
                                            • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                            Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                            • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ObjectProcessSingleTerminateWait
                                            • String ID: pth_unenc
                                            • API String ID: 1872346434-4028850238
                                            • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                            • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                            • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                            • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                            Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                            • GetLastError.KERNEL32 ref: 00440D35
                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharMultiWide$ErrorLast
                                            • String ID:
                                            • API String ID: 1717984340-0
                                            • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                            • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                            • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                            • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                            Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                            Download Yara Rule
                                            APIs
                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                            • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                            • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                            • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.4542868463.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000004.00000002.4542868463.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            • Associated: 00000004.00000002.4542868463.0000000000478000.00000040.00000400.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_AddInProcess32.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLastRead
                                            • String ID:
                                            • API String ID: 4100373531-0
                                            • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                            • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                            • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                            • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

                                            Execution Graph

                                            Execution Coverage:6.4%
                                            Dynamic/Decrypted Code Coverage:9.2%
                                            Signature Coverage:0%
                                            Total number of Nodes:2000
                                            Total number of Limit Nodes:79
                                            execution_graph 40417 441819 40420 430737 40417->40420 40419 441825 40421 430756 40420->40421 40433 43076d 40420->40433 40422 430774 40421->40422 40423 43075f 40421->40423 40435 43034a memcpy 40422->40435 40434 4169a7 11 API calls 40423->40434 40426 4307ce 40427 430819 memset 40426->40427 40436 415b2c 11 API calls 40426->40436 40427->40433 40428 43077e 40428->40426 40431 4307fa 40428->40431 40428->40433 40430 4307e9 40430->40427 40430->40433 40437 4169a7 11 API calls 40431->40437 40433->40419 40434->40433 40435->40428 40436->40430 40437->40433 37671 442ec6 19 API calls 37848 4152c6 malloc 37849 4152e2 37848->37849 37850 4152ef 37848->37850 37852 416760 11 API calls 37850->37852 37852->37849 37853 4466f4 37872 446904 37853->37872 37855 446700 GetModuleHandleA 37858 446710 __set_app_type __p__fmode __p__commode 37855->37858 37857 4467a4 37859 4467ac __setusermatherr 37857->37859 37860 4467b8 37857->37860 37858->37857 37859->37860 37873 4468f0 _controlfp 37860->37873 37862 4467bd _initterm __wgetmainargs _initterm 37864 44681e GetStartupInfoW 37862->37864 37865 446810 37862->37865 37866 446866 GetModuleHandleA 37864->37866 37874 41276d 37866->37874 37870 446896 exit 37871 44689d _cexit 37870->37871 37871->37865 37872->37855 37873->37862 37875 41277d 37874->37875 37917 4044a4 LoadLibraryW 37875->37917 37877 412785 37909 412789 37877->37909 37925 414b81 37877->37925 37880 4127c8 37931 412465 memset ??2@YAPAXI 37880->37931 37882 4127ea 37943 40ac21 37882->37943 37887 412813 37961 40dd07 memset 37887->37961 37888 412827 37966 40db69 memset 37888->37966 37891 412822 37987 4125b6 ??3@YAXPAX 37891->37987 37893 40ada2 _wcsicmp 37894 41283d 37893->37894 37894->37891 37897 412863 CoInitialize 37894->37897 37971 41268e 37894->37971 37991 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37897->37991 37901 41296f 37993 40b633 37901->37993 37904 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37908 412957 37904->37908 37914 4128ca 37904->37914 37908->37891 37909->37870 37909->37871 37910 4128d0 TranslateAcceleratorW 37911 412941 GetMessageW 37910->37911 37910->37914 37911->37908 37911->37910 37912 412909 IsDialogMessageW 37912->37911 37912->37914 37913 4128fd IsDialogMessageW 37913->37911 37913->37912 37914->37910 37914->37912 37914->37913 37915 41292b TranslateMessage DispatchMessageW 37914->37915 37916 41291f IsDialogMessageW 37914->37916 37915->37911 37916->37911 37916->37915 37918 4044cf GetProcAddress 37917->37918 37921 4044f7 37917->37921 37919 4044e8 FreeLibrary 37918->37919 37922 4044df 37918->37922 37920 4044f3 37919->37920 37919->37921 37920->37921 37923 404507 MessageBoxW 37921->37923 37924 40451e 37921->37924 37922->37919 37923->37877 37924->37877 37926 414b8a 37925->37926 37927 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37925->37927 37997 40a804 memset 37926->37997 37927->37880 37930 414b9e GetProcAddress 37930->37927 37932 4124e0 37931->37932 37933 412505 ??2@YAPAXI 37932->37933 37934 41251c 37933->37934 37936 412521 37933->37936 38019 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37934->38019 38008 444722 37936->38008 37942 41259b wcscpy 37942->37882 38024 40b1ab ??3@YAXPAX ??3@YAXPAX 37943->38024 37947 40ad4b 37956 40ad76 37947->37956 38048 40a9ce 37947->38048 37948 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37950 40ac5c 37948->37950 37950->37947 37950->37948 37951 40ace7 ??3@YAXPAX 37950->37951 37950->37956 38028 40a8d0 37950->38028 38040 4099f4 37950->38040 37951->37950 37955 40a8d0 7 API calls 37955->37956 38025 40aa04 37956->38025 37957 40ada2 37958 40adc9 37957->37958 37959 40adaa 37957->37959 37958->37887 37958->37888 37959->37958 37960 40adb3 _wcsicmp 37959->37960 37960->37958 37960->37959 38053 40dce0 37961->38053 37963 40dd3a GetModuleHandleW 38058 40dba7 37963->38058 37967 40dce0 3 API calls 37966->37967 37968 40db99 37967->37968 38130 40dae1 37968->38130 38144 402f3a 37971->38144 37973 412766 37973->37891 37973->37897 37974 4126d3 _wcsicmp 37975 4126a8 37974->37975 37975->37973 37975->37974 37977 41270a 37975->37977 38178 4125f8 7 API calls 37975->38178 37977->37973 38147 411ac5 37977->38147 37988 4125da 37987->37988 37989 4125f0 37988->37989 37990 4125e6 DeleteObject 37988->37990 37992 40b1ab ??3@YAXPAX ??3@YAXPAX 37989->37992 37990->37989 37991->37904 37992->37901 37994 40b640 37993->37994 37995 40b639 ??3@YAXPAX 37993->37995 37996 40b1ab ??3@YAXPAX ??3@YAXPAX 37994->37996 37995->37994 37996->37909 37998 40a83b GetSystemDirectoryW 37997->37998 37999 40a84c wcscpy 37997->37999 37998->37999 38004 409719 wcslen 37999->38004 38002 40a881 LoadLibraryW 38003 40a886 38002->38003 38003->37927 38003->37930 38005 409724 38004->38005 38006 409739 wcscat LoadLibraryW 38004->38006 38005->38006 38007 40972c wcscat 38005->38007 38006->38002 38006->38003 38007->38006 38009 444732 38008->38009 38010 444728 DeleteObject 38008->38010 38020 409cc3 38009->38020 38010->38009 38012 412551 38013 4010f9 38012->38013 38014 401130 38013->38014 38015 401134 GetModuleHandleW LoadIconW 38014->38015 38016 401107 wcsncat 38014->38016 38017 40a7be 38015->38017 38016->38014 38018 40a7d2 38017->38018 38018->37942 38018->38018 38019->37936 38023 409bfd memset wcscpy 38020->38023 38022 409cdb CreateFontIndirectW 38022->38012 38023->38022 38024->37950 38026 40aa14 38025->38026 38027 40aa0a ??3@YAXPAX 38025->38027 38026->37957 38027->38026 38029 40a8eb 38028->38029 38030 40a8df wcslen 38028->38030 38031 40a906 ??3@YAXPAX 38029->38031 38032 40a90f 38029->38032 38030->38029 38033 40a919 38031->38033 38034 4099f4 3 API calls 38032->38034 38035 40a932 38033->38035 38036 40a929 ??3@YAXPAX 38033->38036 38034->38033 38038 4099f4 3 API calls 38035->38038 38037 40a93e memcpy 38036->38037 38037->37950 38039 40a93d 38038->38039 38039->38037 38041 409a41 38040->38041 38042 4099fb malloc 38040->38042 38041->37950 38044 409a37 38042->38044 38045 409a1c 38042->38045 38044->37950 38046 409a30 ??3@YAXPAX 38045->38046 38047 409a20 memcpy 38045->38047 38046->38044 38047->38046 38049 40a9e7 38048->38049 38050 40a9dc ??3@YAXPAX 38048->38050 38052 4099f4 3 API calls 38049->38052 38051 40a9f2 38050->38051 38051->37955 38052->38051 38077 409bca GetModuleFileNameW 38053->38077 38055 40dce6 wcsrchr 38056 40dcf5 38055->38056 38057 40dcf9 wcscat 38055->38057 38056->38057 38057->37963 38078 44db70 38058->38078 38062 40dbfd 38081 4447d9 38062->38081 38065 40dc34 wcscpy wcscpy 38107 40d6f5 38065->38107 38066 40dc1f wcscpy 38066->38065 38069 40d6f5 3 API calls 38070 40dc73 38069->38070 38071 40d6f5 3 API calls 38070->38071 38072 40dc89 38071->38072 38073 40d6f5 3 API calls 38072->38073 38074 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38073->38074 38113 40da80 38074->38113 38077->38055 38079 40dbb4 memset memset 38078->38079 38080 409bca GetModuleFileNameW 38079->38080 38080->38062 38083 4447f4 38081->38083 38082 40dc1b 38082->38065 38082->38066 38083->38082 38084 444807 ??2@YAPAXI 38083->38084 38085 44481f 38084->38085 38086 444873 _snwprintf 38085->38086 38087 4448ab wcscpy 38085->38087 38120 44474a 8 API calls 38086->38120 38089 4448bb 38087->38089 38121 44474a 8 API calls 38089->38121 38090 4448a7 38090->38087 38090->38089 38092 4448cd 38122 44474a 8 API calls 38092->38122 38094 4448e2 38123 44474a 8 API calls 38094->38123 38096 4448f7 38124 44474a 8 API calls 38096->38124 38098 44490c 38125 44474a 8 API calls 38098->38125 38100 444921 38126 44474a 8 API calls 38100->38126 38102 444936 38127 44474a 8 API calls 38102->38127 38104 44494b 38128 44474a 8 API calls 38104->38128 38106 444960 ??3@YAXPAX 38106->38082 38108 44db70 38107->38108 38109 40d702 memset GetPrivateProfileStringW 38108->38109 38110 40d752 38109->38110 38111 40d75c WritePrivateProfileStringW 38109->38111 38110->38111 38112 40d758 38110->38112 38111->38112 38112->38069 38114 44db70 38113->38114 38115 40da8d memset 38114->38115 38116 40daac LoadStringW 38115->38116 38117 40dac6 38116->38117 38117->38116 38119 40dade 38117->38119 38129 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38117->38129 38119->37891 38120->38090 38121->38092 38122->38094 38123->38096 38124->38098 38125->38100 38126->38102 38127->38104 38128->38106 38129->38117 38140 409b98 GetFileAttributesW 38130->38140 38132 40daea 38133 40db63 38132->38133 38134 40daef wcscpy wcscpy GetPrivateProfileIntW 38132->38134 38133->37893 38141 40d65d GetPrivateProfileStringW 38134->38141 38136 40db3e 38142 40d65d GetPrivateProfileStringW 38136->38142 38138 40db4f 38143 40d65d GetPrivateProfileStringW 38138->38143 38140->38132 38141->38136 38142->38138 38143->38133 38179 40eaff 38144->38179 38148 411ae2 memset 38147->38148 38149 411b8f 38147->38149 38219 409bca GetModuleFileNameW 38148->38219 38161 411a8b 38149->38161 38151 411b0a wcsrchr 38152 411b22 wcscat 38151->38152 38153 411b1f 38151->38153 38220 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38152->38220 38153->38152 38155 411b67 38221 402afb 38155->38221 38159 411b7f 38277 40ea13 SendMessageW memset SendMessageW 38159->38277 38162 402afb 27 API calls 38161->38162 38163 411ac0 38162->38163 38164 4110dc 38163->38164 38165 41113e 38164->38165 38170 4110f0 38164->38170 38302 40969c LoadCursorW SetCursor 38165->38302 38167 411143 38303 4032b4 38167->38303 38321 444a54 38167->38321 38168 4110f7 _wcsicmp 38168->38170 38169 411157 38171 40ada2 _wcsicmp 38169->38171 38170->38165 38170->38168 38324 410c46 10 API calls 38170->38324 38174 411167 38171->38174 38172 4111af 38174->38172 38175 4111a6 qsort 38174->38175 38175->38172 38178->37975 38180 40eb10 38179->38180 38192 40e8e0 38180->38192 38183 40eb6c memcpy memcpy 38184 40ebb7 38183->38184 38184->38183 38185 40ebf2 ??2@YAPAXI ??2@YAPAXI 38184->38185 38188 40d134 16 API calls 38184->38188 38186 40ec2e ??2@YAPAXI 38185->38186 38189 40ec65 38185->38189 38186->38189 38188->38184 38189->38189 38202 40ea7f 38189->38202 38191 402f49 38191->37975 38193 40e8f2 38192->38193 38194 40e8eb ??3@YAXPAX 38192->38194 38195 40e900 38193->38195 38196 40e8f9 ??3@YAXPAX 38193->38196 38194->38193 38197 40e911 38195->38197 38198 40e90a ??3@YAXPAX 38195->38198 38196->38195 38199 40e931 ??2@YAPAXI ??2@YAPAXI 38197->38199 38200 40e921 ??3@YAXPAX 38197->38200 38201 40e92a ??3@YAXPAX 38197->38201 38198->38197 38199->38183 38200->38201 38201->38199 38203 40aa04 ??3@YAXPAX 38202->38203 38204 40ea88 38203->38204 38205 40aa04 ??3@YAXPAX 38204->38205 38206 40ea90 38205->38206 38207 40aa04 ??3@YAXPAX 38206->38207 38208 40ea98 38207->38208 38209 40aa04 ??3@YAXPAX 38208->38209 38210 40eaa0 38209->38210 38211 40a9ce 4 API calls 38210->38211 38212 40eab3 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eabd 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eac7 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40ead1 38217->38218 38218->38191 38219->38151 38220->38155 38278 40b2cc 38221->38278 38223 402b0a 38224 40b2cc 27 API calls 38223->38224 38225 402b23 38224->38225 38226 40b2cc 27 API calls 38225->38226 38227 402b3a 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b54 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b6b 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b82 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b99 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402bb0 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bc7 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bde 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bf5 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402c0c 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c23 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c3a 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c51 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c68 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c7f 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c99 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402cb3 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cd5 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cf0 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402d0b 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d26 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d3e 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d59 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d78 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d93 38274->38275 38276 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38275->38276 38276->38159 38277->38149 38281 40b58d 38278->38281 38280 40b2d1 38280->38223 38282 40b5a4 GetModuleHandleW FindResourceW 38281->38282 38283 40b62e 38281->38283 38284 40b5c2 LoadResource 38282->38284 38286 40b5e7 38282->38286 38283->38280 38285 40b5d0 SizeofResource LockResource 38284->38285 38284->38286 38285->38286 38286->38283 38294 40afcf 38286->38294 38288 40b608 memcpy 38297 40b4d3 memcpy 38288->38297 38290 40b61e 38298 40b3c1 18 API calls 38290->38298 38292 40b626 38299 40b04b 38292->38299 38295 40b04b ??3@YAXPAX 38294->38295 38296 40afd7 ??2@YAPAXI 38295->38296 38296->38288 38297->38290 38298->38292 38300 40b051 ??3@YAXPAX 38299->38300 38301 40b05f 38299->38301 38300->38301 38301->38283 38302->38167 38304 4032c4 38303->38304 38305 40b633 ??3@YAXPAX 38304->38305 38306 403316 38305->38306 38325 44553b 38306->38325 38310 403480 38521 40368c 15 API calls 38310->38521 38312 403489 38313 40b633 ??3@YAXPAX 38312->38313 38314 403495 38313->38314 38314->38169 38315 4033a9 memset memcpy 38316 4033ec wcscmp 38315->38316 38317 40333c 38315->38317 38316->38317 38317->38310 38317->38315 38317->38316 38519 4028e7 11 API calls 38317->38519 38520 40f508 6 API calls 38317->38520 38319 403421 _wcsicmp 38319->38317 38322 444a64 FreeLibrary 38321->38322 38323 444a83 38321->38323 38322->38323 38323->38169 38324->38170 38326 445548 38325->38326 38327 445599 38326->38327 38522 40c768 38326->38522 38328 4455a8 memset 38327->38328 38335 4457f2 38327->38335 38605 403988 38328->38605 38339 445854 38335->38339 38707 403e2d memset memset memset memset memset 38335->38707 38336 445672 38616 403fbe memset memset memset memset memset 38336->38616 38337 4458bb memset memset 38343 414c2e 16 API calls 38337->38343 38388 4458aa 38339->38388 38730 403c9c memset memset memset memset memset 38339->38730 38341 44595e memset memset 38348 414c2e 16 API calls 38341->38348 38342 4455e5 38342->38336 38351 44560f 38342->38351 38344 4458f9 38343->38344 38349 40b2cc 27 API calls 38344->38349 38346 445a00 memset memset 38753 414c2e 38346->38753 38347 445b22 38353 445bca 38347->38353 38354 445b38 memset memset memset 38347->38354 38358 44599c 38348->38358 38359 445909 38349->38359 38350 44557a 38385 44558c 38350->38385 38802 41366b FreeLibrary 38350->38802 38362 4087b3 338 API calls 38351->38362 38352 445849 38817 40b1ab ??3@YAXPAX ??3@YAXPAX 38352->38817 38360 445c8b memset memset 38353->38360 38427 445cf0 38353->38427 38363 445bd4 38354->38363 38364 445b98 38354->38364 38367 40b2cc 27 API calls 38358->38367 38368 409d1f 6 API calls 38359->38368 38371 414c2e 16 API calls 38360->38371 38361 44589f 38818 40b1ab ??3@YAXPAX ??3@YAXPAX 38361->38818 38369 445621 38362->38369 38377 414c2e 16 API calls 38363->38377 38364->38363 38373 445ba2 38364->38373 38370 4459ac 38367->38370 38381 445919 38368->38381 38803 4454bf 20 API calls 38369->38803 38383 409d1f 6 API calls 38370->38383 38384 445cc9 38371->38384 38890 4099c6 wcslen 38373->38890 38374 4456b2 38805 40b1ab ??3@YAXPAX ??3@YAXPAX 38374->38805 38376 40b2cc 27 API calls 38389 445a4f 38376->38389 38391 445be2 38377->38391 38378 403335 38518 4452e5 45 API calls 38378->38518 38379 445d3d 38411 40b2cc 27 API calls 38379->38411 38380 445d88 memset memset memset 38394 414c2e 16 API calls 38380->38394 38819 409b98 GetFileAttributesW 38381->38819 38382 445823 38382->38352 38393 4087b3 338 API calls 38382->38393 38395 4459bc 38383->38395 38396 409d1f 6 API calls 38384->38396 38589 444b06 38385->38589 38386 445879 38386->38361 38407 4087b3 338 API calls 38386->38407 38388->38337 38412 44594a 38388->38412 38768 409d1f wcslen wcslen 38389->38768 38400 40b2cc 27 API calls 38391->38400 38393->38382 38404 445dde 38394->38404 38886 409b98 GetFileAttributesW 38395->38886 38406 445ce1 38396->38406 38397 445bb3 38893 445403 memset 38397->38893 38398 445680 38398->38374 38639 4087b3 memset 38398->38639 38401 445bf3 38400->38401 38410 409d1f 6 API calls 38401->38410 38402 445928 38402->38412 38820 40b6ef 38402->38820 38413 40b2cc 27 API calls 38404->38413 38910 409b98 GetFileAttributesW 38406->38910 38407->38386 38421 445c07 38410->38421 38422 445d54 _wcsicmp 38411->38422 38412->38341 38426 4459ed 38412->38426 38425 445def 38413->38425 38414 4459cb 38414->38426 38435 40b6ef 252 API calls 38414->38435 38418 40b2cc 27 API calls 38419 445a94 38418->38419 38773 40ae18 38419->38773 38420 44566d 38420->38335 38690 413d4c 38420->38690 38431 445389 258 API calls 38421->38431 38432 445d71 38422->38432 38497 445d67 38422->38497 38424 445665 38804 40b1ab ??3@YAXPAX ??3@YAXPAX 38424->38804 38433 409d1f 6 API calls 38425->38433 38426->38346 38426->38347 38427->38378 38427->38379 38427->38380 38428 445389 258 API calls 38428->38353 38437 445c17 38431->38437 38911 445093 23 API calls 38432->38911 38440 445e03 38433->38440 38435->38426 38436 4456d8 38442 40b2cc 27 API calls 38436->38442 38443 40b2cc 27 API calls 38437->38443 38439 44563c 38439->38424 38445 4087b3 338 API calls 38439->38445 38912 409b98 GetFileAttributesW 38440->38912 38441 40b6ef 252 API calls 38441->38378 38447 4456e2 38442->38447 38448 445c23 38443->38448 38444 445d83 38444->38378 38445->38439 38806 413fa6 _wcsicmp _wcsicmp 38447->38806 38452 409d1f 6 API calls 38448->38452 38450 445e12 38457 445e6b 38450->38457 38463 40b2cc 27 API calls 38450->38463 38455 445c37 38452->38455 38453 445aa1 38456 445b17 38453->38456 38471 445ab2 memset 38453->38471 38484 409d1f 6 API calls 38453->38484 38780 40add4 38453->38780 38785 445389 38453->38785 38794 40ae51 38453->38794 38454 4456eb 38459 4456fd memset memset memset memset 38454->38459 38460 4457ea 38454->38460 38461 445389 258 API calls 38455->38461 38887 40aebe 38456->38887 38914 445093 23 API calls 38457->38914 38807 409c70 wcscpy wcsrchr 38459->38807 38810 413d29 38460->38810 38466 445c47 38461->38466 38467 445e33 38463->38467 38473 40b2cc 27 API calls 38466->38473 38474 409d1f 6 API calls 38467->38474 38469 445e7e 38470 445f67 38469->38470 38479 40b2cc 27 API calls 38470->38479 38475 40b2cc 27 API calls 38471->38475 38477 445c53 38473->38477 38478 445e47 38474->38478 38475->38453 38476 409c70 2 API calls 38480 44577e 38476->38480 38481 409d1f 6 API calls 38477->38481 38913 409b98 GetFileAttributesW 38478->38913 38483 445f73 38479->38483 38485 409c70 2 API calls 38480->38485 38486 445c67 38481->38486 38488 409d1f 6 API calls 38483->38488 38484->38453 38489 44578d 38485->38489 38490 445389 258 API calls 38486->38490 38487 445e56 38487->38457 38493 445e83 memset 38487->38493 38491 445f87 38488->38491 38489->38460 38496 40b2cc 27 API calls 38489->38496 38490->38353 38917 409b98 GetFileAttributesW 38491->38917 38495 40b2cc 27 API calls 38493->38495 38498 445eab 38495->38498 38499 4457a8 38496->38499 38497->38378 38497->38441 38500 409d1f 6 API calls 38498->38500 38501 409d1f 6 API calls 38499->38501 38502 445ebf 38500->38502 38503 4457b8 38501->38503 38504 40ae18 9 API calls 38502->38504 38809 409b98 GetFileAttributesW 38503->38809 38514 445ef5 38504->38514 38506 4457c7 38506->38460 38508 4087b3 338 API calls 38506->38508 38507 40ae51 9 API calls 38507->38514 38508->38460 38509 445f5c 38511 40aebe FindClose 38509->38511 38510 40add4 2 API calls 38510->38514 38511->38470 38512 40b2cc 27 API calls 38512->38514 38513 409d1f 6 API calls 38513->38514 38514->38507 38514->38509 38514->38510 38514->38512 38514->38513 38516 445f3a 38514->38516 38915 409b98 GetFileAttributesW 38514->38915 38916 445093 23 API calls 38516->38916 38518->38317 38519->38319 38520->38317 38521->38312 38523 40c775 38522->38523 38918 40b1ab ??3@YAXPAX ??3@YAXPAX 38523->38918 38525 40c788 38919 40b1ab ??3@YAXPAX ??3@YAXPAX 38525->38919 38527 40c790 38920 40b1ab ??3@YAXPAX ??3@YAXPAX 38527->38920 38529 40c798 38530 40aa04 ??3@YAXPAX 38529->38530 38531 40c7a0 38530->38531 38921 40c274 memset 38531->38921 38536 40a8ab 9 API calls 38537 40c7c3 38536->38537 38538 40a8ab 9 API calls 38537->38538 38539 40c7d0 38538->38539 38950 40c3c3 38539->38950 38543 40c877 38552 40bdb0 38543->38552 38544 40c86c 38992 4053fe 39 API calls 38544->38992 38546 40c7e5 38546->38543 38546->38544 38551 40c634 49 API calls 38546->38551 38975 40a706 38546->38975 38551->38546 39182 404363 38552->39182 38555 40bf5d 39202 40440c 38555->39202 38557 40bdee 38557->38555 38560 40b2cc 27 API calls 38557->38560 38558 40bddf CredEnumerateW 38558->38557 38561 40be02 wcslen 38560->38561 38561->38555 38563 40be1e 38561->38563 38562 40be26 _wcsncoll 38562->38563 38563->38555 38563->38562 38566 40be7d memset 38563->38566 38567 40bea7 memcpy 38563->38567 38568 40bf11 wcschr 38563->38568 38569 40b2cc 27 API calls 38563->38569 38571 40bf43 LocalFree 38563->38571 39205 40bd5d 28 API calls 38563->39205 39206 404423 38563->39206 38566->38563 38566->38567 38567->38563 38567->38568 38568->38563 38570 40bef6 _wcsnicmp 38569->38570 38570->38563 38570->38568 38571->38563 38572 4135f7 39219 4135e0 38572->39219 38575 40b2cc 27 API calls 38576 41360d 38575->38576 38577 40a804 8 API calls 38576->38577 38578 413613 38577->38578 38579 41361b 38578->38579 38580 41363e 38578->38580 38581 40b273 27 API calls 38579->38581 38582 4135e0 FreeLibrary 38580->38582 38583 413625 GetProcAddress 38581->38583 38584 413643 38582->38584 38583->38580 38585 413648 38583->38585 38584->38350 38586 413658 38585->38586 38587 4135e0 FreeLibrary 38585->38587 38586->38350 38588 413666 38587->38588 38588->38350 39222 4449b9 38589->39222 38592 444c1f 38592->38327 38593 4449b9 42 API calls 38595 444b4b 38593->38595 38594 444c15 38597 4449b9 42 API calls 38594->38597 38595->38594 39243 444972 GetVersionExW 38595->39243 38597->38592 38598 444b99 memcmp 38603 444b8c 38598->38603 38599 444c0b 39247 444a85 42 API calls 38599->39247 38603->38598 38603->38599 39244 444aa5 42 API calls 38603->39244 39245 40a7a0 GetVersionExW 38603->39245 39246 444a85 42 API calls 38603->39246 38606 40399d 38605->38606 39248 403a16 38606->39248 38608 403a09 39262 40b1ab ??3@YAXPAX ??3@YAXPAX 38608->39262 38610 403a12 wcsrchr 38610->38342 38611 4039a3 38611->38608 38614 4039f4 38611->38614 39259 40a02c CreateFileW 38611->39259 38614->38608 38615 4099c6 2 API calls 38614->38615 38615->38608 38617 414c2e 16 API calls 38616->38617 38618 404048 38617->38618 38619 414c2e 16 API calls 38618->38619 38620 404056 38619->38620 38621 409d1f 6 API calls 38620->38621 38622 404073 38621->38622 38623 409d1f 6 API calls 38622->38623 38624 40408e 38623->38624 38625 409d1f 6 API calls 38624->38625 38626 4040a6 38625->38626 38627 403af5 20 API calls 38626->38627 38628 4040ba 38627->38628 38629 403af5 20 API calls 38628->38629 38630 4040cb 38629->38630 39289 40414f memset 38630->39289 38632 404140 39303 40b1ab ??3@YAXPAX ??3@YAXPAX 38632->39303 38634 4040ec memset 38637 4040e0 38634->38637 38635 404148 38635->38398 38636 4099c6 2 API calls 38636->38637 38637->38632 38637->38634 38637->38636 38638 40a8ab 9 API calls 38637->38638 38638->38637 39316 40a6e6 WideCharToMultiByte 38639->39316 38641 4087ed 39317 4095d9 memset 38641->39317 38644 408953 38644->38398 38645 408809 memset memset memset memset memset 38646 40b2cc 27 API calls 38645->38646 38647 4088a1 38646->38647 38648 409d1f 6 API calls 38647->38648 38649 4088b1 38648->38649 38650 40b2cc 27 API calls 38649->38650 38651 4088c0 38650->38651 38652 409d1f 6 API calls 38651->38652 38653 4088d0 38652->38653 38654 40b2cc 27 API calls 38653->38654 38655 4088df 38654->38655 38656 409d1f 6 API calls 38655->38656 38657 4088ef 38656->38657 38658 40b2cc 27 API calls 38657->38658 38659 4088fe 38658->38659 38660 409d1f 6 API calls 38659->38660 38661 40890e 38660->38661 38662 40b2cc 27 API calls 38661->38662 38663 40891d 38662->38663 38664 409d1f 6 API calls 38663->38664 38665 40892d 38664->38665 39336 409b98 GetFileAttributesW 38665->39336 38691 40b633 ??3@YAXPAX 38690->38691 38692 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38691->38692 38693 413f00 Process32NextW 38692->38693 38694 413da5 OpenProcess 38693->38694 38695 413f17 CloseHandle 38693->38695 38696 413df3 memset 38694->38696 38701 413eb0 38694->38701 38695->38436 39638 413f27 38696->39638 38698 413ebf ??3@YAXPAX 38698->38701 38699 4099f4 3 API calls 38699->38701 38701->38693 38701->38698 38701->38699 38702 413e37 GetModuleHandleW 38703 413e1f 38702->38703 38704 413e46 GetProcAddress 38702->38704 38703->38702 39643 413959 38703->39643 39659 413ca4 38703->39659 38704->38703 38706 413ea2 CloseHandle 38706->38701 38708 414c2e 16 API calls 38707->38708 38709 403eb7 38708->38709 38710 414c2e 16 API calls 38709->38710 38711 403ec5 38710->38711 38712 409d1f 6 API calls 38711->38712 38713 403ee2 38712->38713 38714 409d1f 6 API calls 38713->38714 38715 403efd 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 403f15 38716->38717 38718 403af5 20 API calls 38717->38718 38719 403f29 38718->38719 38720 403af5 20 API calls 38719->38720 38721 403f3a 38720->38721 38722 40414f 33 API calls 38721->38722 38723 403f4f 38722->38723 38724 403faf 38723->38724 38726 403f5b memset 38723->38726 38728 4099c6 2 API calls 38723->38728 38729 40a8ab 9 API calls 38723->38729 39673 40b1ab ??3@YAXPAX ??3@YAXPAX 38724->39673 38726->38723 38727 403fb7 38727->38382 38728->38723 38729->38723 38731 414c2e 16 API calls 38730->38731 38732 403d26 38731->38732 38733 414c2e 16 API calls 38732->38733 38734 403d34 38733->38734 38735 409d1f 6 API calls 38734->38735 38736 403d51 38735->38736 38737 409d1f 6 API calls 38736->38737 38738 403d6c 38737->38738 38739 409d1f 6 API calls 38738->38739 38740 403d84 38739->38740 38741 403af5 20 API calls 38740->38741 38742 403d98 38741->38742 38743 403af5 20 API calls 38742->38743 38744 403da9 38743->38744 38745 40414f 33 API calls 38744->38745 38746 403dbe 38745->38746 38747 403e1e 38746->38747 38748 403dca memset 38746->38748 38751 4099c6 2 API calls 38746->38751 38752 40a8ab 9 API calls 38746->38752 39674 40b1ab ??3@YAXPAX ??3@YAXPAX 38747->39674 38748->38746 38750 403e26 38750->38386 38751->38746 38752->38746 38754 414b81 9 API calls 38753->38754 38755 414c40 38754->38755 38756 414c73 memset 38755->38756 39675 409cea 38755->39675 38757 414c94 38756->38757 39678 414592 RegOpenKeyExW 38757->39678 38760 414c64 38760->38376 38762 414cc1 38763 414cf4 wcscpy 38762->38763 39679 414bb0 wcscpy 38762->39679 38763->38760 38765 414cd2 39680 4145ac RegQueryValueExW 38765->39680 38767 414ce9 RegCloseKey 38767->38763 38769 409d62 38768->38769 38770 409d43 wcscpy 38768->38770 38769->38418 38771 409719 2 API calls 38770->38771 38772 409d51 wcscat 38771->38772 38772->38769 38774 40aebe FindClose 38773->38774 38775 40ae21 38774->38775 38776 4099c6 2 API calls 38775->38776 38777 40ae35 38776->38777 38778 409d1f 6 API calls 38777->38778 38779 40ae49 38778->38779 38779->38453 38781 40ade0 38780->38781 38782 40ae0f 38780->38782 38781->38782 38783 40ade7 wcscmp 38781->38783 38782->38453 38783->38782 38784 40adfe wcscmp 38783->38784 38784->38782 38786 40ae18 9 API calls 38785->38786 38792 4453c4 38786->38792 38787 40ae51 9 API calls 38787->38792 38788 4453f3 38790 40aebe FindClose 38788->38790 38789 40add4 2 API calls 38789->38792 38791 4453fe 38790->38791 38791->38453 38792->38787 38792->38788 38792->38789 38793 445403 253 API calls 38792->38793 38793->38792 38795 40ae7b FindNextFileW 38794->38795 38796 40ae5c FindFirstFileW 38794->38796 38797 40ae94 38795->38797 38798 40ae8f 38795->38798 38796->38797 38800 40aeb6 38797->38800 38801 409d1f 6 API calls 38797->38801 38799 40aebe FindClose 38798->38799 38799->38797 38800->38453 38801->38800 38802->38385 38803->38439 38804->38420 38805->38420 38806->38454 38808 409c89 38807->38808 38808->38476 38809->38506 38811 413d39 38810->38811 38812 413d2f FreeLibrary 38810->38812 38813 40b633 ??3@YAXPAX 38811->38813 38812->38811 38814 413d42 38813->38814 38815 40b633 ??3@YAXPAX 38814->38815 38816 413d4a 38815->38816 38816->38335 38817->38339 38818->38388 38819->38402 38821 44db70 38820->38821 38822 40b6fc memset 38821->38822 38823 409c70 2 API calls 38822->38823 38824 40b732 wcsrchr 38823->38824 38825 40b743 38824->38825 38826 40b746 memset 38824->38826 38825->38826 38827 40b2cc 27 API calls 38826->38827 38828 40b76f 38827->38828 38829 409d1f 6 API calls 38828->38829 38830 40b783 38829->38830 39681 409b98 GetFileAttributesW 38830->39681 38832 40b792 38833 40b7c2 38832->38833 38834 409c70 2 API calls 38832->38834 39682 40bb98 38833->39682 38836 40b7a5 38834->38836 38838 40b2cc 27 API calls 38836->38838 38842 40b7b2 38838->38842 38839 40b837 FindCloseChangeNotification 38841 40b83e memset 38839->38841 38840 40b817 39716 409a45 GetTempPathW 38840->39716 39715 40a6e6 WideCharToMultiByte 38841->39715 38845 409d1f 6 API calls 38842->38845 38845->38833 38846 40b827 CopyFileW 38846->38841 38847 40b866 38848 444432 121 API calls 38847->38848 38849 40b879 38848->38849 38850 40bad5 38849->38850 38851 40b273 27 API calls 38849->38851 38852 40baeb 38850->38852 38853 40bade DeleteFileW 38850->38853 38854 40b89a 38851->38854 38855 40b04b ??3@YAXPAX 38852->38855 38853->38852 38856 438552 134 API calls 38854->38856 38857 40baf3 38855->38857 38858 40b8a4 38856->38858 38857->38412 38859 40bacd 38858->38859 38861 4251c4 137 API calls 38858->38861 38860 443d90 111 API calls 38859->38860 38860->38850 38884 40b8b8 38861->38884 38862 40bac6 39728 424f26 123 API calls 38862->39728 38863 40b8bd memset 39719 425413 17 API calls 38863->39719 38866 425413 17 API calls 38866->38884 38869 40a71b MultiByteToWideChar 38869->38884 38870 40a734 MultiByteToWideChar 38870->38884 38873 40b9b5 memcmp 38873->38884 38874 4099c6 2 API calls 38874->38884 38875 404423 37 API calls 38875->38884 38877 40bb3e memset memcpy 39729 40a734 MultiByteToWideChar 38877->39729 38878 4251c4 137 API calls 38878->38884 38881 40bb88 LocalFree 38881->38884 38884->38862 38884->38863 38884->38866 38884->38869 38884->38870 38884->38873 38884->38874 38884->38875 38884->38877 38884->38878 38885 40ba5f memcmp 38884->38885 39720 4253ef 16 API calls 38884->39720 39721 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38884->39721 39722 4253af 17 API calls 38884->39722 39723 4253cf 17 API calls 38884->39723 39724 447280 memset 38884->39724 39725 447960 memset memcpy memcpy memcpy 38884->39725 39726 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38884->39726 39727 447920 memcpy memcpy memcpy 38884->39727 38885->38884 38886->38414 38888 40aed1 38887->38888 38889 40aec7 FindClose 38887->38889 38888->38347 38889->38888 38891 4099d7 38890->38891 38892 4099da memcpy 38890->38892 38891->38892 38892->38397 38894 40b2cc 27 API calls 38893->38894 38895 44543f 38894->38895 38896 409d1f 6 API calls 38895->38896 38897 44544f 38896->38897 39821 409b98 GetFileAttributesW 38897->39821 38899 44545e 38900 445476 38899->38900 38901 40b6ef 252 API calls 38899->38901 38902 40b2cc 27 API calls 38900->38902 38901->38900 38903 445482 38902->38903 38904 409d1f 6 API calls 38903->38904 38905 445492 38904->38905 39822 409b98 GetFileAttributesW 38905->39822 38907 4454a1 38908 4454b9 38907->38908 38909 40b6ef 252 API calls 38907->38909 38908->38428 38909->38908 38910->38427 38911->38444 38912->38450 38913->38487 38914->38469 38915->38514 38916->38514 38917->38497 38918->38525 38919->38527 38920->38529 38922 414c2e 16 API calls 38921->38922 38923 40c2ae 38922->38923 38993 40c1d3 38923->38993 38928 40c3be 38945 40a8ab 38928->38945 38929 40afcf 2 API calls 38930 40c2fd FindFirstUrlCacheEntryW 38929->38930 38931 40c3b6 38930->38931 38932 40c31e wcschr 38930->38932 38933 40b04b ??3@YAXPAX 38931->38933 38934 40c331 38932->38934 38935 40c35e FindNextUrlCacheEntryW 38932->38935 38933->38928 38936 40a8ab 9 API calls 38934->38936 38935->38932 38937 40c373 GetLastError 38935->38937 38940 40c33e wcschr 38936->38940 38938 40c3ad FindCloseUrlCache 38937->38938 38939 40c37e 38937->38939 38938->38931 38941 40afcf 2 API calls 38939->38941 38940->38935 38942 40c34f 38940->38942 38943 40c391 FindNextUrlCacheEntryW 38941->38943 38944 40a8ab 9 API calls 38942->38944 38943->38932 38943->38938 38944->38935 39109 40a97a 38945->39109 38948 40a8cc 38948->38536 38949 40a8d0 7 API calls 38949->38948 39114 40b1ab ??3@YAXPAX ??3@YAXPAX 38950->39114 38952 40c3dd 38953 40b2cc 27 API calls 38952->38953 38954 40c3e7 38953->38954 39115 414592 RegOpenKeyExW 38954->39115 38956 40c3f4 38957 40c50e 38956->38957 38958 40c3ff 38956->38958 38972 405337 38957->38972 38959 40a9ce 4 API calls 38958->38959 38960 40c418 memset 38959->38960 39116 40aa1d 38960->39116 38963 40c471 38965 40c47a _wcsupr 38963->38965 38964 40c505 RegCloseKey 38964->38957 38966 40a8d0 7 API calls 38965->38966 38967 40c498 38966->38967 38968 40a8d0 7 API calls 38967->38968 38969 40c4ac memset 38968->38969 38970 40aa1d 38969->38970 38971 40c4e4 RegEnumValueW 38970->38971 38971->38964 38971->38965 39118 405220 38972->39118 38976 4099c6 2 API calls 38975->38976 38977 40a714 _wcslwr 38976->38977 38978 40c634 38977->38978 39175 405361 38978->39175 38981 40c65c wcslen 39178 4053b6 39 API calls 38981->39178 38982 40c71d wcslen 38982->38546 38984 40c713 39181 4053df 39 API calls 38984->39181 38985 40c677 38985->38984 39179 40538b 39 API calls 38985->39179 38988 40c6a5 38988->38984 38989 40c6a9 memset 38988->38989 38990 40c6d3 38989->38990 39180 40c589 43 API calls 38990->39180 38992->38543 38994 40ae18 9 API calls 38993->38994 39000 40c210 38994->39000 38995 40ae51 9 API calls 38995->39000 38996 40c264 38997 40aebe FindClose 38996->38997 38999 40c26f 38997->38999 38998 40add4 2 API calls 38998->39000 39005 40e5ed memset memset 38999->39005 39000->38995 39000->38996 39000->38998 39001 40c231 _wcsicmp 39000->39001 39002 40c1d3 35 API calls 39000->39002 39001->39000 39003 40c248 39001->39003 39002->39000 39018 40c084 22 API calls 39003->39018 39006 414c2e 16 API calls 39005->39006 39007 40e63f 39006->39007 39008 409d1f 6 API calls 39007->39008 39009 40e658 39008->39009 39019 409b98 GetFileAttributesW 39009->39019 39011 40e667 39012 40e680 39011->39012 39014 409d1f 6 API calls 39011->39014 39020 409b98 GetFileAttributesW 39012->39020 39014->39012 39015 40e68f 39016 40c2d8 39015->39016 39021 40e4b2 39015->39021 39016->38928 39016->38929 39018->39000 39019->39011 39020->39015 39042 40e01e 39021->39042 39023 40e593 39025 40e5b0 39023->39025 39026 40e59c DeleteFileW 39023->39026 39024 40e521 39024->39023 39065 40e175 39024->39065 39027 40b04b ??3@YAXPAX 39025->39027 39026->39025 39028 40e5bb 39027->39028 39030 40e5c4 CloseHandle 39028->39030 39031 40e5cc 39028->39031 39030->39031 39033 40b633 ??3@YAXPAX 39031->39033 39032 40e573 39034 40e584 39032->39034 39035 40e57c FindCloseChangeNotification 39032->39035 39036 40e5db 39033->39036 39108 40b1ab ??3@YAXPAX ??3@YAXPAX 39034->39108 39035->39034 39039 40b633 ??3@YAXPAX 39036->39039 39038 40e540 39038->39032 39085 40e2ab 39038->39085 39040 40e5e3 39039->39040 39040->39016 39043 406214 22 API calls 39042->39043 39044 40e03c 39043->39044 39045 40e16b 39044->39045 39046 40dd85 74 API calls 39044->39046 39045->39024 39047 40e06b 39046->39047 39047->39045 39048 40afcf ??2@YAPAXI ??3@YAXPAX 39047->39048 39049 40e08d OpenProcess 39048->39049 39050 40e0a4 GetCurrentProcess DuplicateHandle 39049->39050 39054 40e152 39049->39054 39051 40e0d0 GetFileSize 39050->39051 39052 40e14a CloseHandle 39050->39052 39055 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39051->39055 39052->39054 39053 40e160 39057 40b04b ??3@YAXPAX 39053->39057 39054->39053 39056 406214 22 API calls 39054->39056 39058 40e0ea 39055->39058 39056->39053 39057->39045 39059 4096dc CreateFileW 39058->39059 39060 40e0f1 CreateFileMappingW 39059->39060 39061 40e140 CloseHandle CloseHandle 39060->39061 39062 40e10b MapViewOfFile 39060->39062 39061->39052 39063 40e13b FindCloseChangeNotification 39062->39063 39064 40e11f WriteFile UnmapViewOfFile 39062->39064 39063->39061 39064->39063 39066 40e18c 39065->39066 39067 406b90 11 API calls 39066->39067 39068 40e19f 39067->39068 39069 40e1a7 memset 39068->39069 39070 40e299 39068->39070 39075 40e1e8 39069->39075 39071 4069a3 ??3@YAXPAX ??3@YAXPAX 39070->39071 39072 40e2a4 39071->39072 39072->39038 39073 406e8f 13 API calls 39073->39075 39074 406b53 SetFilePointerEx ReadFile 39074->39075 39075->39073 39075->39074 39076 40e283 39075->39076 39077 40dd50 _wcsicmp 39075->39077 39081 40742e 8 API calls 39075->39081 39082 40aae3 wcslen wcslen _memicmp 39075->39082 39083 40e244 _snwprintf 39075->39083 39078 40e291 39076->39078 39079 40e288 ??3@YAXPAX 39076->39079 39077->39075 39080 40aa04 ??3@YAXPAX 39078->39080 39079->39078 39080->39070 39081->39075 39082->39075 39084 40a8d0 7 API calls 39083->39084 39084->39075 39086 40e2c2 39085->39086 39087 406b90 11 API calls 39086->39087 39098 40e2d3 39087->39098 39088 40e4a0 39089 4069a3 ??3@YAXPAX ??3@YAXPAX 39088->39089 39091 40e4ab 39089->39091 39090 406e8f 13 API calls 39090->39098 39091->39038 39092 406b53 SetFilePointerEx ReadFile 39092->39098 39093 40e489 39094 40aa04 ??3@YAXPAX 39093->39094 39095 40e491 39094->39095 39095->39088 39096 40e497 ??3@YAXPAX 39095->39096 39096->39088 39097 40dd50 _wcsicmp 39097->39098 39098->39088 39098->39090 39098->39092 39098->39093 39098->39097 39099 40dd50 _wcsicmp 39098->39099 39102 40742e 8 API calls 39098->39102 39103 40e3e0 memcpy 39098->39103 39104 40e3b3 wcschr 39098->39104 39105 40e3fb memcpy 39098->39105 39106 40e416 memcpy 39098->39106 39107 40e431 memcpy 39098->39107 39100 40e376 memset 39099->39100 39101 40aa29 6 API calls 39100->39101 39101->39098 39102->39098 39103->39098 39104->39098 39105->39098 39106->39098 39107->39098 39108->39023 39111 40a980 39109->39111 39110 40a8bb 39110->38948 39110->38949 39111->39110 39112 40a995 _wcsicmp 39111->39112 39113 40a99c wcscmp 39111->39113 39112->39111 39113->39111 39114->38952 39115->38956 39117 40aa23 RegEnumValueW 39116->39117 39117->38963 39117->38964 39119 405335 39118->39119 39120 40522a 39118->39120 39119->38546 39121 40b2cc 27 API calls 39120->39121 39122 405234 39121->39122 39123 40a804 8 API calls 39122->39123 39124 40523a 39123->39124 39163 40b273 39124->39163 39126 405248 _mbscpy _mbscat GetProcAddress 39127 40b273 27 API calls 39126->39127 39128 405279 39127->39128 39166 405211 GetProcAddress 39128->39166 39130 405282 39131 40b273 27 API calls 39130->39131 39132 40528f 39131->39132 39167 405211 GetProcAddress 39132->39167 39134 405298 39135 40b273 27 API calls 39134->39135 39136 4052a5 39135->39136 39168 405211 GetProcAddress 39136->39168 39138 4052ae 39139 40b273 27 API calls 39138->39139 39140 4052bb 39139->39140 39169 405211 GetProcAddress 39140->39169 39142 4052c4 39143 40b273 27 API calls 39142->39143 39144 4052d1 39143->39144 39170 405211 GetProcAddress 39144->39170 39146 4052da 39147 40b273 27 API calls 39146->39147 39148 4052e7 39147->39148 39171 405211 GetProcAddress 39148->39171 39150 4052f0 39151 40b273 27 API calls 39150->39151 39152 4052fd 39151->39152 39172 405211 GetProcAddress 39152->39172 39154 405306 39155 40b273 27 API calls 39154->39155 39156 405313 39155->39156 39173 405211 GetProcAddress 39156->39173 39158 40531c 39159 40b273 27 API calls 39158->39159 39160 405329 39159->39160 39174 405211 GetProcAddress 39160->39174 39164 40b58d 27 API calls 39163->39164 39165 40b18c 39164->39165 39165->39126 39166->39130 39167->39134 39168->39138 39169->39142 39170->39146 39171->39150 39172->39154 39173->39158 39176 405220 39 API calls 39175->39176 39177 405369 39176->39177 39177->38981 39177->38982 39178->38985 39179->38988 39180->38984 39181->38982 39183 40440c FreeLibrary 39182->39183 39184 40436d 39183->39184 39185 40a804 8 API calls 39184->39185 39186 404377 39185->39186 39187 404383 39186->39187 39188 404405 39186->39188 39189 40b273 27 API calls 39187->39189 39188->38555 39188->38557 39188->38558 39190 40438d GetProcAddress 39189->39190 39191 40b273 27 API calls 39190->39191 39192 4043a7 GetProcAddress 39191->39192 39193 40b273 27 API calls 39192->39193 39194 4043ba GetProcAddress 39193->39194 39195 40b273 27 API calls 39194->39195 39196 4043ce GetProcAddress 39195->39196 39197 40b273 27 API calls 39196->39197 39198 4043e2 GetProcAddress 39197->39198 39199 4043f1 39198->39199 39200 4043f7 39199->39200 39201 40440c FreeLibrary 39199->39201 39200->39188 39201->39188 39203 404413 FreeLibrary 39202->39203 39204 40441e 39202->39204 39203->39204 39204->38572 39205->38563 39207 40442e 39206->39207 39208 40447e 39206->39208 39209 40b2cc 27 API calls 39207->39209 39208->38563 39210 404438 39209->39210 39211 40a804 8 API calls 39210->39211 39212 40443e 39211->39212 39213 404445 39212->39213 39214 404467 39212->39214 39215 40b273 27 API calls 39213->39215 39214->39208 39216 404475 FreeLibrary 39214->39216 39217 40444f GetProcAddress 39215->39217 39216->39208 39217->39214 39218 404460 39217->39218 39218->39214 39220 4135f6 39219->39220 39221 4135eb FreeLibrary 39219->39221 39220->38575 39221->39220 39223 4449c4 39222->39223 39224 444a52 39222->39224 39225 40b2cc 27 API calls 39223->39225 39224->38592 39224->38593 39226 4449cb 39225->39226 39227 40a804 8 API calls 39226->39227 39228 4449d1 39227->39228 39229 40b273 27 API calls 39228->39229 39230 4449dc GetProcAddress 39229->39230 39231 40b273 27 API calls 39230->39231 39232 4449f3 GetProcAddress 39231->39232 39233 40b273 27 API calls 39232->39233 39234 444a04 GetProcAddress 39233->39234 39235 40b273 27 API calls 39234->39235 39236 444a15 GetProcAddress 39235->39236 39237 40b273 27 API calls 39236->39237 39238 444a26 GetProcAddress 39237->39238 39239 40b273 27 API calls 39238->39239 39240 444a37 GetProcAddress 39239->39240 39243->38603 39244->38603 39245->38603 39246->38603 39247->38594 39249 403a29 39248->39249 39263 403bed memset memset 39249->39263 39251 403ae7 39276 40b1ab ??3@YAXPAX ??3@YAXPAX 39251->39276 39252 403a3f memset 39258 403a2f 39252->39258 39254 403aef 39254->38611 39255 409b98 GetFileAttributesW 39255->39258 39256 40a8d0 7 API calls 39256->39258 39257 409d1f 6 API calls 39257->39258 39258->39251 39258->39252 39258->39255 39258->39256 39258->39257 39260 40a051 GetFileTime FindCloseChangeNotification 39259->39260 39261 4039ca CompareFileTime 39259->39261 39260->39261 39261->38611 39262->38610 39264 414c2e 16 API calls 39263->39264 39265 403c38 39264->39265 39266 409719 2 API calls 39265->39266 39267 403c3f wcscat 39266->39267 39268 414c2e 16 API calls 39267->39268 39269 403c61 39268->39269 39270 409719 2 API calls 39269->39270 39271 403c68 wcscat 39270->39271 39277 403af5 39271->39277 39274 403af5 20 API calls 39275 403c95 39274->39275 39275->39258 39276->39254 39278 403b02 39277->39278 39279 40ae18 9 API calls 39278->39279 39287 403b37 39279->39287 39280 403bdb 39282 40aebe FindClose 39280->39282 39281 40add4 wcscmp wcscmp 39281->39287 39283 403be6 39282->39283 39283->39274 39284 40ae18 9 API calls 39284->39287 39285 40ae51 9 API calls 39285->39287 39286 40aebe FindClose 39286->39287 39287->39280 39287->39281 39287->39284 39287->39285 39287->39286 39288 40a8d0 7 API calls 39287->39288 39288->39287 39290 409d1f 6 API calls 39289->39290 39291 404190 39290->39291 39304 409b98 GetFileAttributesW 39291->39304 39293 40419c 39294 4041a7 6 API calls 39293->39294 39295 40435c 39293->39295 39297 40424f 39294->39297 39295->38637 39297->39295 39298 40425e memset 39297->39298 39300 409d1f 6 API calls 39297->39300 39301 40a8ab 9 API calls 39297->39301 39305 414842 39297->39305 39298->39297 39299 404296 wcscpy 39298->39299 39299->39297 39300->39297 39302 4042b6 memset memset _snwprintf wcscpy 39301->39302 39302->39297 39303->38635 39304->39293 39308 41443e 39305->39308 39307 414866 39307->39297 39309 41444b 39308->39309 39310 414451 39309->39310 39311 4144a3 GetPrivateProfileStringW 39309->39311 39312 414491 39310->39312 39313 414455 wcschr 39310->39313 39311->39307 39314 414495 WritePrivateProfileStringW 39312->39314 39313->39312 39315 414463 _snwprintf 39313->39315 39314->39307 39315->39314 39316->38641 39318 40b2cc 27 API calls 39317->39318 39319 409615 39318->39319 39320 409d1f 6 API calls 39319->39320 39321 409625 39320->39321 39346 409b98 GetFileAttributesW 39321->39346 39323 409634 39324 409648 39323->39324 39347 4091b8 memset 39323->39347 39326 40b2cc 27 API calls 39324->39326 39328 408801 39324->39328 39327 40965d 39326->39327 39329 409d1f 6 API calls 39327->39329 39328->38644 39328->38645 39330 40966d 39329->39330 39399 409b98 GetFileAttributesW 39330->39399 39332 40967c 39332->39328 39333 409681 39332->39333 39400 409529 72 API calls 39333->39400 39335 409690 39335->39328 39346->39323 39401 40a6e6 WideCharToMultiByte 39347->39401 39349 409202 39402 444432 39349->39402 39352 40b273 27 API calls 39353 409236 39352->39353 39448 438552 39353->39448 39356 409383 39358 40b273 27 API calls 39356->39358 39360 409399 39358->39360 39362 438552 134 API calls 39360->39362 39380 4093a3 39362->39380 39366 4094ff 39369 4251c4 137 API calls 39369->39380 39373 4093df 39377 4253cf 17 API calls 39377->39380 39379 40951d 39379->39324 39380->39366 39380->39369 39380->39373 39380->39377 39382 4093e4 39380->39382 39399->39332 39400->39335 39401->39349 39498 4438b5 39402->39498 39404 44444c 39410 409215 39404->39410 39512 415a6d 39404->39512 39406 4442e6 11 API calls 39408 44469e 39406->39408 39407 444486 39409 4444b9 memcpy 39407->39409 39447 4444a4 39407->39447 39408->39410 39412 443d90 111 API calls 39408->39412 39516 415258 39409->39516 39410->39352 39410->39379 39412->39410 39413 444524 39414 444541 39413->39414 39415 44452a 39413->39415 39519 444316 39414->39519 39416 416935 16 API calls 39415->39416 39416->39447 39419 444316 18 API calls 39420 444563 39419->39420 39447->39406 39586 438460 39448->39586 39450 409240 39450->39356 39451 4251c4 39450->39451 39598 424f07 39451->39598 39453 4251e4 39499 4438d0 39498->39499 39510 4438c9 39498->39510 39500 415378 memcpy memcpy 39499->39500 39501 4438d5 39500->39501 39502 4154e2 10 API calls 39501->39502 39503 443906 39501->39503 39501->39510 39502->39503 39504 443970 memset 39503->39504 39503->39510 39507 44398b 39504->39507 39505 4439a0 39506 415700 10 API calls 39505->39506 39505->39510 39508 4439c0 39506->39508 39507->39505 39509 41975c 10 API calls 39507->39509 39508->39510 39511 418981 10 API calls 39508->39511 39509->39505 39510->39404 39511->39510 39513 415a77 39512->39513 39514 415a8d 39513->39514 39515 415a7e memset 39513->39515 39514->39407 39515->39514 39517 4438b5 11 API calls 39516->39517 39518 41525d 39517->39518 39518->39413 39520 444328 39519->39520 39521 444423 39520->39521 39522 44434e 39520->39522 39523 4446ea 11 API calls 39521->39523 39524 432d4e memset memset memcpy 39522->39524 39530 444381 39523->39530 39525 44435a 39524->39525 39527 444375 39525->39527 39532 44438b 39525->39532 39526 432d4e memset memset memcpy 39529 416935 16 API calls 39527->39529 39529->39530 39530->39419 39532->39526 39587 41703f 11 API calls 39586->39587 39588 43847a 39587->39588 39589 43848a 39588->39589 39590 43847e 39588->39590 39592 438270 134 API calls 39589->39592 39591 4446ea 11 API calls 39590->39591 39594 438488 39591->39594 39593 4384aa 39592->39593 39593->39594 39595 424f26 123 API calls 39593->39595 39594->39450 39596 4384bb 39595->39596 39597 438270 134 API calls 39596->39597 39597->39594 39599 424f1f 39598->39599 39600 424f0c 39598->39600 39602 424eea 11 API calls 39599->39602 39601 416760 11 API calls 39600->39601 39603 424f18 39601->39603 39604 424f24 39602->39604 39603->39453 39604->39453 39665 413f4f 39638->39665 39641 413f37 K32GetModuleFileNameExW 39642 413f4a 39641->39642 39642->38703 39644 413969 wcscpy 39643->39644 39645 41396c wcschr 39643->39645 39657 413a3a 39644->39657 39645->39644 39647 41398e 39645->39647 39670 4097f7 wcslen wcslen _memicmp 39647->39670 39649 41399a 39650 4139a4 memset 39649->39650 39651 4139e6 39649->39651 39671 409dd5 GetWindowsDirectoryW wcscpy 39650->39671 39653 413a31 wcscpy 39651->39653 39654 4139ec memset 39651->39654 39653->39657 39672 409dd5 GetWindowsDirectoryW wcscpy 39654->39672 39655 4139c9 wcscpy wcscat 39655->39657 39657->38703 39658 413a11 memcpy wcscat 39658->39657 39660 413cb0 GetModuleHandleW 39659->39660 39661 413cda 39659->39661 39660->39661 39662 413cbf GetProcAddress 39660->39662 39663 413ce3 GetProcessTimes 39661->39663 39664 413cf6 39661->39664 39662->39661 39663->38706 39664->38706 39666 413f2f 39665->39666 39667 413f54 39665->39667 39666->39641 39666->39642 39668 40a804 8 API calls 39667->39668 39669 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39668->39669 39669->39666 39670->39649 39671->39655 39672->39658 39673->38727 39674->38750 39676 409cf9 GetVersionExW 39675->39676 39677 409d0a 39675->39677 39676->39677 39677->38756 39677->38760 39678->38762 39679->38765 39680->38767 39681->38832 39683 40bba5 39682->39683 39730 40cc26 39683->39730 39686 40bd4b 39751 40cc0c 39686->39751 39691 40b2cc 27 API calls 39692 40bbef 39691->39692 39758 40ccf0 _wcsicmp 39692->39758 39694 40bbf5 39694->39686 39759 40ccb4 6 API calls 39694->39759 39696 40bc26 39697 40cf04 17 API calls 39696->39697 39698 40bc2e 39697->39698 39699 40bd43 39698->39699 39700 40b2cc 27 API calls 39698->39700 39701 40cc0c 4 API calls 39699->39701 39702 40bc40 39700->39702 39701->39686 39760 40ccf0 _wcsicmp 39702->39760 39704 40bc46 39704->39699 39705 40bc61 memset memset WideCharToMultiByte 39704->39705 39761 40103c strlen 39705->39761 39707 40bcc0 39708 40b273 27 API calls 39707->39708 39709 40bcd0 memcmp 39708->39709 39709->39699 39710 40bce2 39709->39710 39711 404423 37 API calls 39710->39711 39712 40bd10 39711->39712 39712->39699 39713 40bd3a LocalFree 39712->39713 39714 40bd1f memcpy 39712->39714 39713->39699 39714->39713 39715->38847 39717 409a74 GetTempFileNameW 39716->39717 39718 409a66 GetWindowsDirectoryW 39716->39718 39717->38846 39718->39717 39719->38884 39720->38884 39721->38884 39722->38884 39723->38884 39724->38884 39725->38884 39726->38884 39727->38884 39728->38859 39729->38881 39762 4096c3 CreateFileW 39730->39762 39732 40cc34 39733 40cc3d GetFileSize 39732->39733 39741 40bbca 39732->39741 39734 40afcf 2 API calls 39733->39734 39735 40cc64 39734->39735 39763 40a2ef ReadFile 39735->39763 39737 40cc71 39764 40ab4a MultiByteToWideChar 39737->39764 39739 40cc95 FindCloseChangeNotification 39740 40b04b ??3@YAXPAX 39739->39740 39740->39741 39741->39686 39742 40cf04 39741->39742 39743 40b633 ??3@YAXPAX 39742->39743 39744 40cf14 39743->39744 39770 40b1ab ??3@YAXPAX ??3@YAXPAX 39744->39770 39746 40bbdd 39746->39686 39746->39691 39747 40cf1b 39747->39746 39749 40cfef 39747->39749 39771 40cd4b 39747->39771 39750 40cd4b 14 API calls 39749->39750 39750->39746 39752 40b633 ??3@YAXPAX 39751->39752 39753 40cc15 39752->39753 39754 40aa04 ??3@YAXPAX 39753->39754 39755 40cc1d 39754->39755 39820 40b1ab ??3@YAXPAX ??3@YAXPAX 39755->39820 39757 40b7d4 memset CreateFileW 39757->38839 39757->38840 39758->39694 39759->39696 39760->39704 39761->39707 39762->39732 39763->39737 39765 40ab93 39764->39765 39766 40ab6b 39764->39766 39765->39739 39767 40a9ce 4 API calls 39766->39767 39768 40ab74 39767->39768 39769 40ab7c MultiByteToWideChar 39768->39769 39769->39765 39770->39747 39772 40cd7b 39771->39772 39805 40aa29 39772->39805 39774 40cef5 39775 40aa04 ??3@YAXPAX 39774->39775 39776 40cefd 39775->39776 39776->39747 39778 40aa29 6 API calls 39779 40ce1d 39778->39779 39780 40aa29 6 API calls 39779->39780 39781 40ce3e 39780->39781 39782 40ce6a 39781->39782 39813 40abb7 wcslen memmove 39781->39813 39783 40ce9f 39782->39783 39816 40abb7 wcslen memmove 39782->39816 39785 40a8d0 7 API calls 39783->39785 39788 40ceb5 39785->39788 39786 40ce56 39814 40aa71 wcslen 39786->39814 39795 40a8d0 7 API calls 39788->39795 39790 40ce8b 39817 40aa71 wcslen 39790->39817 39792 40ce5e 39815 40abb7 wcslen memmove 39792->39815 39793 40ce93 39818 40abb7 wcslen memmove 39793->39818 39797 40cecb 39795->39797 39819 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39797->39819 39799 40cedd 39800 40aa04 ??3@YAXPAX 39799->39800 39801 40cee5 39800->39801 39802 40aa04 ??3@YAXPAX 39801->39802 39803 40ceed 39802->39803 39804 40aa04 ??3@YAXPAX 39803->39804 39804->39774 39806 40aa33 39805->39806 39807 40aa63 39805->39807 39808 40aa44 39806->39808 39809 40aa38 wcslen 39806->39809 39807->39774 39807->39778 39810 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39808->39810 39809->39808 39811 40aa4d 39810->39811 39811->39807 39812 40aa51 memcpy 39811->39812 39812->39807 39813->39786 39814->39792 39815->39782 39816->39790 39817->39793 39818->39783 39819->39799 39820->39757 39821->38899 39822->38907 39899 44def7 39900 44df07 39899->39900 39901 44df00 ??3@YAXPAX 39899->39901 39902 44df17 39900->39902 39903 44df10 ??3@YAXPAX 39900->39903 39901->39900 39904 44df27 39902->39904 39905 44df20 ??3@YAXPAX 39902->39905 39903->39902 39906 44df37 39904->39906 39907 44df30 ??3@YAXPAX 39904->39907 39905->39904 39907->39906 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 39908 4148b6 FindResourceW 39909 4148cf SizeofResource 39908->39909 39912 4148f9 39908->39912 39910 4148e0 LoadResource 39909->39910 39909->39912 39911 4148ee LockResource 39910->39911 39910->39912 39911->39912 37847 415304 ??3@YAXPAX 39823 427533 39827 427548 39823->39827 39836 425711 39823->39836 39824 4259da 39880 416760 11 API calls 39824->39880 39826 4275cb 39860 425506 39826->39860 39827->39826 39834 429b7a 39827->39834 39828 4260dd 39881 424251 120 API calls 39828->39881 39829 4259c2 39856 425ad6 39829->39856 39874 415c56 11 API calls 39829->39874 39886 4446ce 11 API calls 39834->39886 39836->39824 39836->39829 39839 429a4d 39836->39839 39842 422aeb memset memcpy memcpy 39836->39842 39844 4260a1 39836->39844 39850 429ac1 39836->39850 39859 425a38 39836->39859 39870 4227f0 memset memcpy 39836->39870 39871 422b84 15 API calls 39836->39871 39872 422b5d memset memcpy memcpy 39836->39872 39873 422640 13 API calls 39836->39873 39875 4241fc 11 API calls 39836->39875 39876 42413a 90 API calls 39836->39876 39840 429a66 39839->39840 39841 429a9b 39839->39841 39882 415c56 11 API calls 39840->39882 39846 429a96 39841->39846 39884 416760 11 API calls 39841->39884 39842->39836 39879 415c56 11 API calls 39844->39879 39885 424251 120 API calls 39846->39885 39849 429a7a 39883 416760 11 API calls 39849->39883 39850->39824 39850->39856 39887 415c56 11 API calls 39850->39887 39859->39829 39877 422640 13 API calls 39859->39877 39878 4226e0 12 API calls 39859->39878 39861 425554 39860->39861 39862 42554d 39860->39862 39889 422586 12 API calls 39861->39889 39888 423b34 103 API calls 39862->39888 39865 425567 39866 4255ba 39865->39866 39867 42556c memset 39865->39867 39866->39836 39868 425596 39867->39868 39868->39866 39869 4255a4 memset 39868->39869 39869->39866 39870->39836 39871->39836 39872->39836 39873->39836 39874->39824 39875->39836 39876->39836 39877->39859 39878->39859 39879->39824 39880->39828 39881->39856 39882->39849 39883->39846 39884->39846 39885->39850 39886->39850 39887->39824 39888->39861 39889->39865 39913 441b3f 39923 43a9f6 39913->39923 39915 441b61 40096 4386af memset 39915->40096 39917 44189a 39918 4418e2 39917->39918 39922 442bd4 39917->39922 39919 4418ea 39918->39919 40097 4414a9 12 API calls 39918->40097 39922->39919 40098 441409 memset 39922->40098 39924 43aa20 39923->39924 39925 43aadf 39923->39925 39924->39925 39926 43aa34 memset 39924->39926 39925->39915 39927 43aa56 39926->39927 39928 43aa4d 39926->39928 40099 43a6e7 39927->40099 40107 42c02e memset 39928->40107 39933 43aad3 40109 4169a7 11 API calls 39933->40109 39934 43aaae 39934->39925 39934->39933 39949 43aae5 39934->39949 39935 43ac18 39938 43ac47 39935->39938 40111 42bbd5 memcpy memcpy memcpy memset memcpy 39935->40111 39939 43aca8 39938->39939 40112 438eed 16 API calls 39938->40112 39943 43acd5 39939->39943 40114 4233ae 11 API calls 39939->40114 39942 43ac87 40113 4233c5 16 API calls 39942->40113 40115 423426 11 API calls 39943->40115 39947 43ace1 40116 439811 163 API calls 39947->40116 39948 43a9f6 161 API calls 39948->39949 39949->39925 39949->39935 39949->39948 40110 439bbb 22 API calls 39949->40110 39951 43acfd 39956 43ad2c 39951->39956 40117 438eed 16 API calls 39951->40117 39953 43ad19 40118 4233c5 16 API calls 39953->40118 39955 43ad58 40119 44081d 163 API calls 39955->40119 39956->39955 39959 43add9 39956->39959 40123 423426 11 API calls 39959->40123 39960 43ae3a memset 39961 43ae73 39960->39961 40124 42e1c0 147 API calls 39961->40124 39962 43adab 40121 438c4e 163 API calls 39962->40121 39963 43ad6c 39963->39925 39963->39962 40120 42370b memset memcpy memset 39963->40120 39967 43adcc 40122 440f84 12 API calls 39967->40122 39968 43ae96 40125 42e1c0 147 API calls 39968->40125 39971 43aea8 39972 43aec1 39971->39972 40126 42e199 147 API calls 39971->40126 39973 43af00 39972->39973 40127 42e1c0 147 API calls 39972->40127 39973->39925 39977 43af1a 39973->39977 39978 43b3d9 39973->39978 40128 438eed 16 API calls 39977->40128 39983 43b3f6 39978->39983 39987 43b4c8 39978->39987 39979 43b60f 39979->39925 40187 4393a5 17 API calls 39979->40187 39982 43af2f 40129 4233c5 16 API calls 39982->40129 40169 432878 12 API calls 39983->40169 39985 43af51 40130 423426 11 API calls 39985->40130 39993 43b4f2 39987->39993 40175 42bbd5 memcpy memcpy memcpy memset memcpy 39987->40175 39989 43af7d 40131 423426 11 API calls 39989->40131 40176 43a76c 21 API calls 39993->40176 39994 43b529 40177 44081d 163 API calls 39994->40177 39995 43b462 40171 423330 11 API calls 39995->40171 39996 43af94 40132 423330 11 API calls 39996->40132 40000 43afca 40133 423330 11 API calls 40000->40133 40001 43b47e 40005 43b497 40001->40005 40172 42374a memcpy memset memcpy memcpy memcpy 40001->40172 40002 43b544 40006 43b55c 40002->40006 40178 42c02e memset 40002->40178 40003 43b428 40003->39995 40170 432b60 16 API calls 40003->40170 40173 4233ae 11 API calls 40005->40173 40179 43a87a 163 API calls 40006->40179 40008 43afdb 40134 4233ae 11 API calls 40008->40134 40013 43b56c 40017 43b58a 40013->40017 40180 423330 11 API calls 40013->40180 40014 43b4b1 40174 423399 11 API calls 40014->40174 40016 43afee 40135 44081d 163 API calls 40016->40135 40181 440f84 12 API calls 40017->40181 40018 43b4c1 40183 42db80 163 API calls 40018->40183 40023 43b592 40182 43a82f 16 API calls 40023->40182 40026 43b5b4 40184 438c4e 163 API calls 40026->40184 40028 43b5cf 40185 42c02e memset 40028->40185 40030 43b005 40030->39925 40034 43b01f 40030->40034 40136 42d836 163 API calls 40030->40136 40031 43b1ef 40146 4233c5 16 API calls 40031->40146 40034->40031 40144 423330 11 API calls 40034->40144 40145 42d71d 163 API calls 40034->40145 40035 43b212 40147 423330 11 API calls 40035->40147 40037 43b087 40137 4233ae 11 API calls 40037->40137 40038 43add4 40038->39979 40186 438f86 16 API calls 40038->40186 40041 43b22a 40148 42ccb5 11 API calls 40041->40148 40044 43b23f 40149 4233ae 11 API calls 40044->40149 40045 43b10f 40140 423330 11 API calls 40045->40140 40047 43b257 40150 4233ae 11 API calls 40047->40150 40051 43b129 40141 4233ae 11 API calls 40051->40141 40052 43b26e 40151 4233ae 11 API calls 40052->40151 40055 43b09a 40055->40045 40138 42cc15 19 API calls 40055->40138 40139 4233ae 11 API calls 40055->40139 40056 43b282 40152 43a87a 163 API calls 40056->40152 40058 43b13c 40142 440f84 12 API calls 40058->40142 40060 43b29d 40153 423330 11 API calls 40060->40153 40063 43b15f 40143 4233ae 11 API calls 40063->40143 40064 43b2af 40065 43b2b8 40064->40065 40066 43b2ce 40064->40066 40154 4233ae 11 API calls 40065->40154 40155 440f84 12 API calls 40066->40155 40070 43b2c9 40157 4233ae 11 API calls 40070->40157 40071 43b2da 40156 42370b memset memcpy memset 40071->40156 40074 43b2f9 40158 423330 11 API calls 40074->40158 40076 43b30b 40159 423330 11 API calls 40076->40159 40078 43b325 40160 423399 11 API calls 40078->40160 40080 43b332 40161 4233ae 11 API calls 40080->40161 40082 43b354 40162 423399 11 API calls 40082->40162 40084 43b364 40163 43a82f 16 API calls 40084->40163 40086 43b370 40164 42db80 163 API calls 40086->40164 40088 43b380 40165 438c4e 163 API calls 40088->40165 40090 43b39e 40166 423399 11 API calls 40090->40166 40092 43b3ae 40167 43a76c 21 API calls 40092->40167 40094 43b3c3 40168 423399 11 API calls 40094->40168 40096->39917 40097->39919 40098->39922 40100 43a6f5 40099->40100 40101 43a765 40099->40101 40100->40101 40188 42a115 40100->40188 40101->39925 40108 4397fd memset 40101->40108 40105 43a73d 40105->40101 40106 42a115 147 API calls 40105->40106 40106->40101 40107->39927 40108->39934 40109->39925 40110->39949 40111->39938 40112->39942 40113->39939 40114->39943 40115->39947 40116->39951 40117->39953 40118->39956 40119->39963 40120->39962 40121->39967 40122->40038 40123->39960 40124->39968 40125->39971 40126->39972 40127->39972 40128->39982 40129->39985 40130->39989 40131->39996 40132->40000 40133->40008 40134->40016 40135->40030 40136->40037 40137->40055 40138->40055 40139->40055 40140->40051 40141->40058 40142->40063 40143->40034 40144->40034 40145->40034 40146->40035 40147->40041 40148->40044 40149->40047 40150->40052 40151->40056 40152->40060 40153->40064 40154->40070 40155->40071 40156->40070 40157->40074 40158->40076 40159->40078 40160->40080 40161->40082 40162->40084 40163->40086 40164->40088 40165->40090 40166->40092 40167->40094 40168->40038 40169->40003 40170->39995 40171->40001 40172->40005 40173->40014 40174->40018 40175->39993 40176->39994 40177->40002 40178->40006 40179->40013 40180->40017 40181->40023 40182->40018 40183->40026 40184->40028 40185->40038 40186->39979 40187->39925 40189 42a175 40188->40189 40191 42a122 40188->40191 40189->40101 40194 42b13b 147 API calls 40189->40194 40191->40189 40192 42a115 147 API calls 40191->40192 40195 43a174 40191->40195 40219 42a0a8 147 API calls 40191->40219 40192->40191 40194->40105 40209 43a196 40195->40209 40210 43a19e 40195->40210 40196 43a306 40196->40209 40239 4388c4 14 API calls 40196->40239 40199 42a115 147 API calls 40199->40210 40201 43a642 40201->40209 40243 4169a7 11 API calls 40201->40243 40205 43a635 40242 42c02e memset 40205->40242 40209->40191 40210->40196 40210->40199 40210->40209 40220 42ff8c 40210->40220 40228 415a91 40210->40228 40232 4165ff 40210->40232 40235 439504 13 API calls 40210->40235 40236 4312d0 147 API calls 40210->40236 40237 42be4c memcpy memcpy memcpy memset memcpy 40210->40237 40238 43a121 11 API calls 40210->40238 40212 4169a7 11 API calls 40213 43a325 40212->40213 40213->40201 40213->40205 40213->40209 40213->40212 40214 42b5b5 memset memcpy 40213->40214 40215 42bf4c 14 API calls 40213->40215 40218 4165ff 11 API calls 40213->40218 40240 42b63e 14 API calls 40213->40240 40241 42bfcf memcpy 40213->40241 40214->40213 40215->40213 40218->40213 40219->40191 40244 43817e 40220->40244 40222 42ff99 40223 42ffe3 40222->40223 40224 42ffd0 40222->40224 40227 42ff9d 40222->40227 40249 4169a7 11 API calls 40223->40249 40248 4169a7 11 API calls 40224->40248 40227->40210 40229 415a9d 40228->40229 40230 415ab3 40229->40230 40231 415aa4 memset 40229->40231 40230->40210 40231->40230 40396 4165a0 40232->40396 40235->40210 40236->40210 40237->40210 40238->40210 40239->40213 40240->40213 40241->40213 40242->40201 40243->40209 40245 438187 40244->40245 40247 438192 40244->40247 40250 4380f6 40245->40250 40247->40222 40248->40227 40249->40227 40252 43811f 40250->40252 40251 438164 40251->40247 40252->40251 40254 4300e8 3 API calls 40252->40254 40255 437e5e 40252->40255 40254->40252 40278 437d3c 40255->40278 40257 437eb3 40257->40252 40258 437ea9 40258->40257 40263 437f22 40258->40263 40293 41f432 40258->40293 40261 437f06 40340 415c56 11 API calls 40261->40340 40265 437f7f 40263->40265 40266 432d4e 3 API calls 40263->40266 40264 437f95 40341 415c56 11 API calls 40264->40341 40265->40264 40267 43802b 40265->40267 40266->40265 40269 4165ff 11 API calls 40267->40269 40270 438054 40269->40270 40304 437371 40270->40304 40273 43806b 40274 438094 40273->40274 40342 42f50e 138 API calls 40273->40342 40276 4300e8 3 API calls 40274->40276 40277 437fa3 40274->40277 40276->40277 40277->40257 40343 41f638 104 API calls 40277->40343 40279 437d69 40278->40279 40282 437d80 40278->40282 40344 437ccb 11 API calls 40279->40344 40281 437d76 40281->40258 40282->40281 40283 437da3 40282->40283 40285 437d90 40282->40285 40286 438460 134 API calls 40283->40286 40285->40281 40348 437ccb 11 API calls 40285->40348 40289 437dcb 40286->40289 40287 437de8 40347 424f26 123 API calls 40287->40347 40289->40287 40345 444283 13 API calls 40289->40345 40291 437dfc 40346 437ccb 11 API calls 40291->40346 40294 41f54d 40293->40294 40300 41f44f 40293->40300 40295 41f466 40294->40295 40378 41c635 memset memset 40294->40378 40295->40261 40295->40263 40300->40295 40302 41f50b 40300->40302 40349 41f1a5 40300->40349 40374 41c06f memcmp 40300->40374 40375 41f3b1 90 API calls 40300->40375 40376 41f398 86 API calls 40300->40376 40302->40294 40302->40295 40377 41c295 86 API calls 40302->40377 40379 41703f 40304->40379 40306 437399 40307 43739d 40306->40307 40309 4373ac 40306->40309 40386 4446ea 11 API calls 40307->40386 40310 416935 16 API calls 40309->40310 40311 4373ca 40310->40311 40312 438460 134 API calls 40311->40312 40317 4251c4 137 API calls 40311->40317 40321 415a91 memset 40311->40321 40324 43758f 40311->40324 40336 437584 40311->40336 40339 437d3c 135 API calls 40311->40339 40387 425433 13 API calls 40311->40387 40388 425413 17 API calls 40311->40388 40389 42533e 16 API calls 40311->40389 40390 42538f 16 API calls 40311->40390 40391 42453e 123 API calls 40311->40391 40312->40311 40313 4375bc 40315 415c7d 16 API calls 40313->40315 40316 4375d2 40315->40316 40318 4442e6 11 API calls 40316->40318 40338 4373a7 40316->40338 40317->40311 40319 4375e2 40318->40319 40319->40338 40394 444283 13 API calls 40319->40394 40321->40311 40392 42453e 123 API calls 40324->40392 40327 4375f4 40330 437620 40327->40330 40331 43760b 40327->40331 40329 43759f 40332 416935 16 API calls 40329->40332 40334 416935 16 API calls 40330->40334 40395 444283 13 API calls 40331->40395 40332->40336 40334->40338 40336->40313 40393 42453e 123 API calls 40336->40393 40337 437612 memcpy 40337->40338 40338->40273 40339->40311 40340->40257 40341->40277 40342->40274 40343->40257 40344->40281 40345->40291 40346->40287 40347->40281 40348->40281 40350 41bc3b 101 API calls 40349->40350 40351 41f1b4 40350->40351 40352 41edad 86 API calls 40351->40352 40359 41f282 40351->40359 40353 41f1cb 40352->40353 40354 41f1f5 memcmp 40353->40354 40355 41f20e 40353->40355 40353->40359 40354->40355 40356 41f21b memcmp 40355->40356 40355->40359 40357 41f326 40356->40357 40360 41f23d 40356->40360 40358 41ee6b 86 API calls 40357->40358 40357->40359 40358->40359 40359->40300 40360->40357 40361 41f28e memcmp 40360->40361 40363 41c8df 56 API calls 40360->40363 40361->40357 40362 41f2a9 40361->40362 40362->40357 40365 41f308 40362->40365 40366 41f2d8 40362->40366 40364 41f269 40363->40364 40364->40357 40367 41f287 40364->40367 40368 41f27a 40364->40368 40365->40357 40372 4446ce 11 API calls 40365->40372 40369 41ee6b 86 API calls 40366->40369 40367->40361 40370 41ee6b 86 API calls 40368->40370 40371 41f2e0 40369->40371 40370->40359 40373 41b1ca memset 40371->40373 40372->40357 40373->40359 40374->40300 40375->40300 40376->40300 40377->40294 40378->40295 40380 417044 40379->40380 40381 41705c 40379->40381 40383 416760 11 API calls 40380->40383 40385 417055 40380->40385 40382 417075 40381->40382 40384 41707a 11 API calls 40381->40384 40382->40306 40383->40385 40384->40380 40385->40306 40386->40338 40387->40311 40388->40311 40389->40311 40390->40311 40391->40311 40392->40329 40393->40313 40394->40327 40395->40337 40401 415cfe 40396->40401 40405 415d23 __aullrem __aulldvrm 40401->40405 40408 41628e 40401->40408 40402 4163ca 40415 416422 11 API calls 40402->40415 40404 416172 memset 40404->40405 40405->40402 40405->40404 40406 416422 10 API calls 40405->40406 40407 415cb9 10 API calls 40405->40407 40405->40408 40406->40405 40407->40405 40409 416520 40408->40409 40410 416527 40409->40410 40414 416574 40409->40414 40411 416544 40410->40411 40410->40414 40416 4156aa 11 API calls 40410->40416 40413 416561 memcpy 40411->40413 40411->40414 40413->40414 40414->40210 40415->40408 40416->40411 40438 41493c EnumResourceNamesW 37672 4287c1 37673 4287d2 37672->37673 37674 429ac1 37672->37674 37675 428818 37673->37675 37676 42881f 37673->37676 37691 425711 37673->37691 37686 425ad6 37674->37686 37742 415c56 11 API calls 37674->37742 37709 42013a 37675->37709 37737 420244 97 API calls 37676->37737 37681 4260dd 37736 424251 120 API calls 37681->37736 37683 4259da 37735 416760 11 API calls 37683->37735 37689 422aeb memset memcpy memcpy 37689->37691 37690 429a4d 37692 429a66 37690->37692 37696 429a9b 37690->37696 37691->37674 37691->37683 37691->37689 37691->37690 37694 4260a1 37691->37694 37705 4259c2 37691->37705 37708 425a38 37691->37708 37725 4227f0 memset memcpy 37691->37725 37726 422b84 15 API calls 37691->37726 37727 422b5d memset memcpy memcpy 37691->37727 37728 422640 13 API calls 37691->37728 37730 4241fc 11 API calls 37691->37730 37731 42413a 90 API calls 37691->37731 37738 415c56 11 API calls 37692->37738 37734 415c56 11 API calls 37694->37734 37697 429a96 37696->37697 37740 416760 11 API calls 37696->37740 37741 424251 120 API calls 37697->37741 37700 429a7a 37739 416760 11 API calls 37700->37739 37705->37686 37729 415c56 11 API calls 37705->37729 37708->37705 37732 422640 13 API calls 37708->37732 37733 4226e0 12 API calls 37708->37733 37710 42014c 37709->37710 37713 420151 37709->37713 37752 41e466 97 API calls 37710->37752 37712 420162 37712->37691 37713->37712 37714 4201b3 37713->37714 37715 420229 37713->37715 37716 4201b8 37714->37716 37717 4201dc 37714->37717 37715->37712 37718 41fd5e 86 API calls 37715->37718 37743 41fbdb 37716->37743 37717->37712 37721 4201ff 37717->37721 37749 41fc4c 37717->37749 37718->37712 37721->37712 37724 42013a 97 API calls 37721->37724 37724->37712 37725->37691 37726->37691 37727->37691 37728->37691 37729->37683 37730->37691 37731->37691 37732->37708 37733->37708 37734->37683 37735->37681 37736->37686 37737->37691 37738->37700 37739->37697 37740->37697 37741->37674 37742->37683 37744 41fbf1 37743->37744 37745 41fbf8 37743->37745 37748 41fc39 37744->37748 37767 4446ce 11 API calls 37744->37767 37757 41ee26 37745->37757 37748->37712 37753 41fd5e 37748->37753 37750 41ee6b 86 API calls 37749->37750 37751 41fc5d 37750->37751 37751->37717 37752->37713 37755 41fd65 37753->37755 37754 41fdab 37754->37712 37755->37754 37756 41fbdb 86 API calls 37755->37756 37756->37755 37758 41ee41 37757->37758 37759 41ee32 37757->37759 37768 41edad 37758->37768 37771 4446ce 11 API calls 37759->37771 37762 41ee3c 37762->37744 37765 41ee58 37765->37762 37773 41ee6b 37765->37773 37767->37748 37777 41be52 37768->37777 37771->37762 37772 41eb85 11 API calls 37772->37765 37774 41ee70 37773->37774 37775 41ee78 37773->37775 37833 41bf99 86 API calls 37774->37833 37775->37762 37778 41be6f 37777->37778 37779 41be5f 37777->37779 37785 41be8c 37778->37785 37798 418c63 37778->37798 37812 4446ce 11 API calls 37779->37812 37782 41be69 37782->37762 37782->37772 37783 41bee7 37783->37782 37816 41a453 86 API calls 37783->37816 37785->37782 37785->37783 37786 41bf3a 37785->37786 37789 41bed1 37785->37789 37815 4446ce 11 API calls 37786->37815 37788 41bef0 37788->37783 37791 41bf01 37788->37791 37789->37788 37792 41bee2 37789->37792 37790 41bf24 memset 37790->37782 37791->37790 37793 41bf14 37791->37793 37813 418a6d memset memcpy memset 37791->37813 37802 41ac13 37792->37802 37814 41a223 memset memcpy memset 37793->37814 37797 41bf20 37797->37790 37801 418c72 37798->37801 37799 418c94 37799->37785 37800 418d51 memset memset 37800->37799 37801->37799 37801->37800 37803 41ac52 37802->37803 37804 41ac3f memset 37802->37804 37807 41ac6a 37803->37807 37817 41dc14 19 API calls 37803->37817 37805 41acd9 37804->37805 37805->37783 37809 41aca1 37807->37809 37818 41519d 37807->37818 37809->37805 37810 41acc0 memset 37809->37810 37811 41accd memcpy 37809->37811 37810->37805 37811->37805 37812->37782 37813->37793 37814->37797 37815->37783 37817->37807 37821 4175ed 37818->37821 37829 417570 SetFilePointer 37821->37829 37824 41760a ReadFile 37825 417637 37824->37825 37826 417627 GetLastError 37824->37826 37827 4151b3 37825->37827 37828 41763e memset 37825->37828 37826->37827 37827->37809 37828->37827 37830 4175b2 37829->37830 37831 41759c GetLastError 37829->37831 37830->37824 37830->37827 37831->37830 37832 4175a8 GetLastError 37831->37832 37832->37830 37833->37775 37834 417bc5 37835 417c61 37834->37835 37840 417bda 37834->37840 37836 417bf6 UnmapViewOfFile CloseHandle 37836->37836 37836->37840 37838 417c2c 37838->37840 37846 41851e 20 API calls 37838->37846 37840->37835 37840->37836 37840->37838 37841 4175b7 37840->37841 37842 4175d6 FindCloseChangeNotification 37841->37842 37843 4175c8 37842->37843 37844 4175df 37842->37844 37843->37844 37845 4175ce Sleep 37843->37845 37844->37840 37845->37842 37846->37838 39890 4147f3 39893 414561 39890->39893 39892 414813 39894 41456d 39893->39894 39895 41457f GetPrivateProfileIntW 39893->39895 39898 4143f1 memset _itow WritePrivateProfileStringW 39894->39898 39895->39892 39897 41457a 39897->39892 39898->39897

                                            Executed Functions

                                            Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                            APIs
                                            • memset.MSVCRT ref: 0040DDAD
                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                            • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                            • memset.MSVCRT ref: 0040DF5F
                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                            • API String ID: 594330280-3398334509
                                            • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                            • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                              • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                            • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                            • String ID:
                                            • API String ID: 2947809556-0
                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                            Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FileFind$FirstNext
                                            • String ID:
                                            • API String ID: 1690352074-0
                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                            APIs
                                            • memset.MSVCRT ref: 004455C2
                                            • wcsrchr.MSVCRT ref: 004455DA
                                            • memset.MSVCRT ref: 0044570D
                                            • memset.MSVCRT ref: 00445725
                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                              • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                              • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                            • memset.MSVCRT ref: 0044573D
                                            • memset.MSVCRT ref: 00445755
                                            • memset.MSVCRT ref: 004458CB
                                            • memset.MSVCRT ref: 004458E3
                                            • memset.MSVCRT ref: 0044596E
                                            • memset.MSVCRT ref: 00445A10
                                            • memset.MSVCRT ref: 00445A28
                                            • memset.MSVCRT ref: 00445AC6
                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                            • memset.MSVCRT ref: 00445B52
                                            • memset.MSVCRT ref: 00445B6A
                                            • memset.MSVCRT ref: 00445C9B
                                            • memset.MSVCRT ref: 00445CB3
                                            • _wcsicmp.MSVCRT ref: 00445D56
                                            • memset.MSVCRT ref: 00445B82
                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                            • memset.MSVCRT ref: 00445986
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                            • API String ID: 2745753283-3798722523
                                            • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                            • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                            Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                            • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                            • String ID: $/deleteregkey$/savelangfile
                                            • API String ID: 2744995895-28296030
                                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                            Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • memset.MSVCRT ref: 0040B71C
                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                            • wcsrchr.MSVCRT ref: 0040B738
                                            • memset.MSVCRT ref: 0040B756
                                            • memset.MSVCRT ref: 0040B7F5
                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                            • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                            • memset.MSVCRT ref: 0040B851
                                            • memset.MSVCRT ref: 0040B8CA
                                            • memcmp.MSVCRT ref: 0040B9BF
                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                            • memset.MSVCRT ref: 0040BB53
                                            • memcpy.MSVCRT ref: 0040BB66
                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                            • String ID: chp$v10
                                            • API String ID: 170802307-2783969131
                                            • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                            • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                            Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f ??3@YAXPAX@Z 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                            APIs
                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                            • memset.MSVCRT ref: 0040E380
                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                              • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                            • wcschr.MSVCRT ref: 0040E3B8
                                            • memcpy.MSVCRT ref: 0040E3EC
                                            • memcpy.MSVCRT ref: 0040E407
                                            • memcpy.MSVCRT ref: 0040E422
                                            • memcpy.MSVCRT ref: 0040E43D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                            • API String ID: 3073804840-2252543386
                                            • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                            • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                            • String ID:
                                            • API String ID: 3715365532-3916222277
                                            • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                            • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                            Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 ??3@YAXPAX@Z 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 658 413e6a-413e76 654->658 655->654 660 413e46-413e5c GetProcAddress 655->660 656->657 657->638 658->650 660->654 662->641
                                            APIs
                                              • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                            • memset.MSVCRT ref: 00413D7F
                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                            • memset.MSVCRT ref: 00413E07
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                            • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                            • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                            • API String ID: 912665193-1740548384
                                            • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                            • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                              • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                            • String ID: bhv
                                            • API String ID: 327780389-2689659898
                                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                            Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                            APIs
                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                            • API String ID: 2941347001-70141382
                                            • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                            • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                            Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 710 4467ac-4467b7 __setusermatherr 702->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->711 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 709 446755-446758 706->709 708->700 712 44673d-446745 708->712 709->702 710->711 715 446810-446819 711->715 716 44681e-446825 711->716 712->709 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 725 446853-446864 GetStartupInfoW 720->725 726 44684d-446851 720->726 721->719 722->718 722->723 723->720 727 446840-446842 723->727 729 446866-44686a 725->729 730 446879-44687b 725->730 726->725 726->727 727->720 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                            • String ID:
                                            • API String ID: 2827331108-0
                                            • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                            • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • memset.MSVCRT ref: 0040C298
                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                            • wcschr.MSVCRT ref: 0040C324
                                            • wcschr.MSVCRT ref: 0040C344
                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                            • GetLastError.KERNEL32 ref: 0040C373
                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                            • String ID: visited:
                                            • API String ID: 1157525455-1702587658
                                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 ??3@YAXPAX@Z 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                            APIs
                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                            • memset.MSVCRT ref: 0040E1BD
                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                            • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                            • _snwprintf.MSVCRT ref: 0040E257
                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                            • API String ID: 3883404497-2982631422
                                            • Opcode ID: 9b2423e8a83b4016eb98faf4fc371ed1828930e493e355a8e36618bebdc061fe
                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                            • Opcode Fuzzy Hash: 9b2423e8a83b4016eb98faf4fc371ed1828930e493e355a8e36618bebdc061fe
                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                            Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                              • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                            • memset.MSVCRT ref: 0040BC75
                                            • memset.MSVCRT ref: 0040BC8C
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                            • memcmp.MSVCRT ref: 0040BCD6
                                            • memcpy.MSVCRT ref: 0040BD2B
                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                            • String ID:
                                            • API String ID: 509814883-3916222277
                                            • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                            • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                            Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError ??3@YAXPAX@Z 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 ??3@YAXPAX@Z 870->877 871->870 877->855
                                            APIs
                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                            • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                            • GetLastError.KERNEL32 ref: 0041847E
                                            • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: CreateFile$??3@ErrorLast
                                            • String ID: |A
                                            • API String ID: 1407640353-1717621600
                                            • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                            • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                            • String ID: r!A
                                            • API String ID: 2791114272-628097481
                                            • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                            • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                              • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                              • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                            • _wcslwr.MSVCRT ref: 0040C817
                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                            • wcslen.MSVCRT ref: 0040C82C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                            • API String ID: 62308376-4196376884
                                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                            Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                            • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                            • memcpy.MSVCRT ref: 0040B60D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                            • String ID: BIN
                                            • API String ID: 1668488027-1015027815
                                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                            Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                            • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                            • wcslen.MSVCRT ref: 0040BE06
                                            • _wcsncoll.MSVCRT ref: 0040BE38
                                            • memset.MSVCRT ref: 0040BE91
                                            • memcpy.MSVCRT ref: 0040BEB2
                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                            • wcschr.MSVCRT ref: 0040BF24
                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                            • String ID:
                                            • API String ID: 3191383707-0
                                            • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                            • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                            Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00403CBF
                                            • memset.MSVCRT ref: 00403CD4
                                            • memset.MSVCRT ref: 00403CE9
                                            • memset.MSVCRT ref: 00403CFE
                                            • memset.MSVCRT ref: 00403D13
                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                            • memset.MSVCRT ref: 00403DDA
                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                              • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                            • String ID: Waterfox$Waterfox\Profiles
                                            • API String ID: 3527940856-11920434
                                            • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                            • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                            Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00403E50
                                            • memset.MSVCRT ref: 00403E65
                                            • memset.MSVCRT ref: 00403E7A
                                            • memset.MSVCRT ref: 00403E8F
                                            • memset.MSVCRT ref: 00403EA4
                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                            • memset.MSVCRT ref: 00403F6B
                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                              • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                            • API String ID: 3527940856-2068335096
                                            • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                            • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                            Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00403FE1
                                            • memset.MSVCRT ref: 00403FF6
                                            • memset.MSVCRT ref: 0040400B
                                            • memset.MSVCRT ref: 00404020
                                            • memset.MSVCRT ref: 00404035
                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                            • memset.MSVCRT ref: 004040FC
                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                              • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                            • API String ID: 3527940856-3369679110
                                            • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                            • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memcpy
                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                            • API String ID: 3510742995-2641926074
                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                            • memset.MSVCRT ref: 004033B7
                                            • memcpy.MSVCRT ref: 004033D0
                                            • wcscmp.MSVCRT ref: 004033FC
                                            • _wcsicmp.MSVCRT ref: 00403439
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                            • String ID: $0.@
                                            • API String ID: 3030842498-1896041820
                                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                            • String ID:
                                            • API String ID: 2941347001-0
                                            • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                            • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                            Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00403C09
                                            • memset.MSVCRT ref: 00403C1E
                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                            • wcscat.MSVCRT ref: 00403C47
                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                              • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                            • wcscat.MSVCRT ref: 00403C70
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memsetwcscat$Closewcscpywcslen
                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                            • API String ID: 3249829328-1174173950
                                            • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                            • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                            Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0040A824
                                            • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • wcscpy.MSVCRT ref: 0040A854
                                            • wcscat.MSVCRT ref: 0040A86A
                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                            • String ID:
                                            • API String ID: 669240632-0
                                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • wcschr.MSVCRT ref: 00414458
                                            • _snwprintf.MSVCRT ref: 0041447D
                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                            • String ID: "%s"
                                            • API String ID: 1343145685-3297466227
                                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                            Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProcProcessTimes
                                            • String ID: GetProcessTimes$kernel32.dll
                                            • API String ID: 1714573020-3385500049
                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 004087D6
                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                            • memset.MSVCRT ref: 00408828
                                            • memset.MSVCRT ref: 00408840
                                            • memset.MSVCRT ref: 00408858
                                            • memset.MSVCRT ref: 00408870
                                            • memset.MSVCRT ref: 00408888
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                            • String ID:
                                            • API String ID: 2911713577-0
                                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memcmp
                                            • String ID: @ $SQLite format 3
                                            • API String ID: 1475443563-3708268960
                                            • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                            • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                            Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                            • memset.MSVCRT ref: 00414C87
                                            • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • wcscpy.MSVCRT ref: 00414CFC
                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                            Strings
                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressCloseProcVersionmemsetwcscpy
                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                            • API String ID: 2705122986-2036018995
                                            • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                            • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _wcsicmpqsort
                                            • String ID: /nosort$/sort
                                            • API String ID: 1579243037-1578091866
                                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0040E60F
                                            • memset.MSVCRT ref: 0040E629
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            Strings
                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                            • API String ID: 3354267031-2114579845
                                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Resource$FindLoadLockSizeof
                                            • String ID:
                                            • API String ID: 3473537107-0
                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                            Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID:
                                            • API String ID: 613200358-0
                                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset
                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                            • API String ID: 2221118986-1725073988
                                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                            Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                            • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotificationSleep
                                            • String ID: }A
                                            • API String ID: 1821831730-2138825249
                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@DeleteObject
                                            • String ID: r!A
                                            • API String ID: 1103273653-628097481
                                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??2@
                                            • String ID:
                                            • API String ID: 1033339047-0
                                            • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                            • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                            Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                            • memcmp.MSVCRT ref: 00444BA5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressProc$memcmp
                                            • String ID: $$8
                                            • API String ID: 2808797137-435121686
                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                              • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                            • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                              • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                            • String ID:
                                            • API String ID: 1042154641-0
                                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                            Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                            • memset.MSVCRT ref: 00403A55
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                              • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                            • String ID: history.dat$places.sqlite
                                            • API String ID: 3093078384-467022611
                                            • Opcode ID: d8e6b92af2facd06d5e6909280136e68436f7e8cf7fe865055eef002cd24ddb2
                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                            • Opcode Fuzzy Hash: d8e6b92af2facd06d5e6909280136e68436f7e8cf7fe865055eef002cd24ddb2
                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                            • GetLastError.KERNEL32 ref: 00417627
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ErrorLast$File$PointerRead
                                            • String ID:
                                            • API String ID: 839530781-0
                                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FileFindFirst
                                            • String ID: *.*$index.dat
                                            • API String ID: 1974802433-2863569691
                                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                            Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@mallocmemcpy
                                            • String ID:
                                            • API String ID: 3831604043-0
                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                            • GetLastError.KERNEL32 ref: 004175A2
                                            • GetLastError.KERNEL32 ref: 004175A8
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FilePointer
                                            • String ID:
                                            • API String ID: 1156039329-0
                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$ChangeCloseCreateFindNotificationTime
                                            • String ID:
                                            • API String ID: 1631957507-0
                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                            Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Temp$DirectoryFileNamePathWindows
                                            • String ID:
                                            • API String ID: 1125800050-0
                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: d
                                            • API String ID: 0-2564639436
                                            • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                            • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                            Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset
                                            • String ID: BINARY
                                            • API String ID: 2221118986-907554435
                                            • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                            • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                            Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                            • String ID:
                                            • API String ID: 1161345128-0
                                            • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                            • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _wcsicmp
                                            • String ID: /stext
                                            • API String ID: 2081463915-3817206916
                                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                            Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: _wcsicmp
                                            • String ID: .#v
                                            • API String ID: 2081463915-507759092
                                            • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                            • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                            Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                            • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                            • String ID:
                                            • API String ID: 159017214-0
                                            • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                            • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                            Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                            • String ID:
                                            • API String ID: 3150196962-0
                                            • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                            • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 0041898C
                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: InfoSystemmemset
                                            • String ID:
                                            • API String ID: 3558857096-0
                                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                            Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: malloc
                                            • String ID: failed to allocate %u bytes of memory
                                            • API String ID: 2803490479-1168259600
                                            • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                            • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                            • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                            • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                            Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID:
                                            • API String ID: 613200358-0
                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                            Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memcmpmemset
                                            • String ID:
                                            • API String ID: 1065087418-0
                                            • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                            • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                            Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset
                                            • String ID:
                                            • API String ID: 2221118986-0
                                            • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                            • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                            • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                            • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                            Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memcpymemset
                                            • String ID:
                                            • API String ID: 1297977491-0
                                            • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                            • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                            • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                            • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                              • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                            • String ID:
                                            • API String ID: 1481295809-0
                                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                            • String ID:
                                            • API String ID: 3150196962-0
                                            • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                            • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$PointerRead
                                            • String ID:
                                            • API String ID: 3154509469-0
                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                            • String ID:
                                            • API String ID: 4232544981-0
                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                            Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                            Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AddressProc$FileModuleName
                                            • String ID:
                                            • API String ID: 3859505661-0
                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FileWrite
                                            • String ID:
                                            • API String ID: 3934441357-0
                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                            Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                            • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                            Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID:
                                            • API String ID: 613200358-0
                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                            Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID:
                                            • API String ID: 613200358-0
                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID:
                                            • API String ID: 613200358-0
                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: EnumNamesResource
                                            • String ID:
                                            • API String ID: 3334572018-0
                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                            Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                            Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: CloseFind
                                            • String ID:
                                            • API String ID: 1863332320-0
                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                            Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                            • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                            • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                            • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                            Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                            Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@
                                            • String ID:
                                            • API String ID: 613200358-0
                                            • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                            • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                            • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                            • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                            Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                            • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 004095FC
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                              • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                              • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                            • String ID:
                                            • API String ID: 3655998216-0
                                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00445426
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                            • String ID:
                                            • API String ID: 1828521557-0
                                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                            Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                              • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                            • memcpy.MSVCRT ref: 00406942
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??2@FilePointermemcpy
                                            • String ID:
                                            • API String ID: 609303285-0
                                            • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                            • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                            • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                            • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateErrorHandleLastRead
                                            • String ID:
                                            • API String ID: 2136311172-0
                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                            Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                            • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??2@??3@
                                            • String ID:
                                            • API String ID: 1936579350-0
                                            • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                            • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                                            Non-executed Functions

                                            Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                            • GetDC.USER32 ref: 004140E3
                                            • wcslen.MSVCRT ref: 00414123
                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                            • _snwprintf.MSVCRT ref: 00414244
                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                            • String ID: %s:$EDIT$STATIC
                                            • API String ID: 2080319088-3046471546
                                            • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                            • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                            Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                            • memcpy.MSVCRT ref: 0040C11B
                                            • strchr.MSVCRT ref: 0040C140
                                            • strchr.MSVCRT ref: 0040C151
                                            • _strlwr.MSVCRT ref: 0040C15F
                                            • memset.MSVCRT ref: 0040C17A
                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                            • String ID: 4$h
                                            • API String ID: 4066021378-1856150674
                                            • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                            • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                            Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                            • wcscpy.MSVCRT ref: 0040A0D9
                                            • wcscat.MSVCRT ref: 0040A0E6
                                            • wcscat.MSVCRT ref: 0040A0F5
                                            • wcscpy.MSVCRT ref: 0040A107
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                            • String ID:
                                            • API String ID: 1331804452-0
                                            • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                            • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                            Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                            • <%s>, xrefs: 004100A6
                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$_snwprintf
                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                            • API String ID: 3473751417-2880344631
                                            • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                            • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                            Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 004100FB
                                            • memset.MSVCRT ref: 00410112
                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                            • _snwprintf.MSVCRT ref: 00410141
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                            • String ID: </%s>
                                            • API String ID: 3400436232-259020660
                                            • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                            • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                            Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                            Download Yara Rule
                                            APIs
                                            • memset.MSVCRT ref: 00412057
                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                            • String ID:
                                            • API String ID: 3550944819-0
                                            • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                            • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                            Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • strlen.MSVCRT ref: 0040B0D8
                                            • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                              • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                              • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                            • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                            • memcpy.MSVCRT ref: 0040B159
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2126460317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_400000_AddInProcess32.jbxd
                                            Similarity
                                            • API ID: ??3@$memcpy$mallocstrlen
                                            • String ID:
                                            • API String ID: 1171893557-0
                                            • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                            • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F