Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe

Overview

General Information

Sample name:1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
Analysis ID:1538197
MD5:848b4297cc3b325ab1f7cbf347b35624
SHA1:d809d80dab17186abd0bb9cd5b4c05d92d81e220
SHA256:6a8c2987ea059d7ad328722dfe1d8c7e08f257fbf3b7ef9dfd37b8e2f485840a
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["janbours92harbu007.duckdns.org:3981:1", "janbours92harbu007.duckdns.org:3980:0", "Wealthabundance.duckdns.org:3980:0"], "Assigned name": "WEALTHMANIFESTED", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc0393949-KH667X", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x134b8:$a1: Remcos restarted by watchdog!
                • 0x13a30:$a3: %02i:%02i:%02i:%03i
                00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  Click to see the 35 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aab8:$a1: Remcos restarted by watchdog!
                        • 0x6b030:$a3: %02i:%02i:%02i:%03i
                        3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64b7c:$str_b2: Executing file:
                        • 0x65bfc:$str_b3: GetDirectListeningPort
                        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65728:$str_b7: \update.vbs
                        • 0x64ba4:$str_b9: Downloaded file:
                        • 0x64b90:$str_b10: Downloading file:
                        • 0x64c34:$str_b12: Failed to upload file:
                        • 0x65bc4:$str_b13: StartForward
                        • 0x65be4:$str_b14: StopForward
                        • 0x65680:$str_b15: fso.DeleteFile "
                        • 0x65614:$str_b16: On Error Resume Next
                        • 0x656b0:$str_b17: fso.DeleteFolder "
                        • 0x64c24:$str_b18: Uploaded file:
                        • 0x64be4:$str_b19: Unable to delete:
                        • 0x65648:$str_b20: while fso.FileExists("
                        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 25 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, ProcessId: 7436, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-20T19:28:57.477867+020020365941Malware Command and Control Activity Detected192.168.2.449730172.111.244.1033981TCP
                        2024-10-20T19:28:59.679528+020020365941Malware Command and Control Activity Detected192.168.2.449731172.111.244.1033981TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-20T19:29:00.449017+020028033043Unknown Traffic192.168.2.449732178.237.33.5080TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeAvira: detected
                        Found malware configuration
                        Source: 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["janbours92harbu007.duckdns.org:3981:1", "janbours92harbu007.duckdns.org:3980:0", "Wealthabundance.duckdns.org:3980:0"], "Assigned name": "WEALTHMANIFESTED", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc0393949-KH667X", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                        Multi AV Scanner detection for submitted file
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeReversingLabs: Detection: 84%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4119976104.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7560, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7588, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,1_2_00404423
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f2895c9b-3

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7560, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7588, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0040AE51 FindFirstFileW,FindNextFileW,1_2_0040AE51
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00407EF8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407898
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 172.111.244.103:3981
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49731 -> 172.111.244.103:3981
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: janbours92harbu007.duckdns.org
                        Source: Malware configuration extractorURLs: janbours92harbu007.duckdns.org
                        Source: Malware configuration extractorURLs: Wealthabundance.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: janbours92harbu007.duckdns.org
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: M247GB M247GB
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 178.237.33.50:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120341681.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000003.1720882420.000000000094D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000003.1720882420.000000000094D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120066851.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120066851.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                        Source: global trafficDNS traffic detected: DNS query: janbours92harbu007.duckdns.org
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722983778.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1699766502.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1703507034.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722657937.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.00000000005D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1699766502.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1703507034.00000000005D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpRt
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722983778.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1699766502.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1703507034.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722657937.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.00000000005D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpes
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0:
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0H
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0I
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0Q
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://ocsp.msocsp.com0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://ocsp.msocsp.com0S
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://ocspx.digicert.com0E
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0~
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000003.1714015326.000000000097D000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000003.1713988826.000000000097D000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120341681.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120341681.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000003.1714015326.000000000097D000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000003.1713988826.000000000097D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721137795.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000003.1720882420.000000000094D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeString found in binary or memory: https://login.yahoo.com/config/login
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                        Source: bhvAE0C.tmp.1.drString found in binary or memory: https://www.office.com/

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_0040987A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,1_2_004098E2
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,2_2_00406DFC
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_00406E9F
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,3_2_004068B5
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_004072B5
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                        Source: Yara matchFile source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7560, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7588, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4119976104.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7560, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7588, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041CA6D SystemParametersInfoW,0_2_0041CA6D
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7560, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7588, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_0041812A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,1_2_0040DD85
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00401806 NtdllDefWindowProc_W,1_2_00401806
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_004018C0 NtdllDefWindowProc_W,1_2_004018C0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004016FD NtdllDefWindowProc_A,2_2_004016FD
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004017B7 NtdllDefWindowProc_A,2_2_004017B7
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00402CAC NtdllDefWindowProc_A,3_2_00402CAC
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00402D66 NtdllDefWindowProc_A,3_2_00402D66
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0043706A0_2_0043706A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004140050_2_00414005
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0043E11C0_2_0043E11C
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004541D90_2_004541D9
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004381E80_2_004381E8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041F18B0_2_0041F18B
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004462700_2_00446270
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0043E34B0_2_0043E34B
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004533AB0_2_004533AB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0042742E0_2_0042742E
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004375660_2_00437566
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0043E5A80_2_0043E5A8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004387F00_2_004387F0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0043797E0_2_0043797E
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004339D70_2_004339D7
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0044DA490_2_0044DA49
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00427AD70_2_00427AD7
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041DBF30_2_0041DBF3
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00427C400_2_00427C40
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00437DB30_2_00437DB3
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00435EEB0_2_00435EEB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0043DEED0_2_0043DEED
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00426E9F0_2_00426E9F
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_100171940_2_10017194
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_1000B5C10_2_1000B5C1
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044B0401_2_0044B040
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0043610D1_2_0043610D
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_004473101_2_00447310
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044A4901_2_0044A490
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0040755A1_2_0040755A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0043C5601_2_0043C560
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044B6101_2_0044B610
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044D6C01_2_0044D6C0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_004476F01_2_004476F0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044B8701_2_0044B870
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044081D1_2_0044081D
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_004149571_2_00414957
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_004079EE1_2_004079EE
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00407AEB1_2_00407AEB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044AA801_2_0044AA80
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00412AA91_2_00412AA9
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00404B741_2_00404B74
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00404B031_2_00404B03
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044BBD81_2_0044BBD8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00404BE51_2_00404BE5
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00404C761_2_00404C76
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00415CFE1_2_00415CFE
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00416D721_2_00416D72
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00446D301_2_00446D30
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00446D8B1_2_00446D8B
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00406E8F1_2_00406E8F
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004050382_2_00405038
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0041208C2_2_0041208C
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004050A92_2_004050A9
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0040511A2_2_0040511A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0043C13A2_2_0043C13A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004051AB2_2_004051AB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004493002_2_00449300
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0040D3222_2_0040D322
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0044A4F02_2_0044A4F0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0043A5AB2_2_0043A5AB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004136312_2_00413631
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004466902_2_00446690
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0044A7302_2_0044A730
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004398D82_2_004398D8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_004498E02_2_004498E0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0044A8862_2_0044A886
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0043DA092_2_0043DA09
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_00438D5E2_2_00438D5E
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_00449ED02_2_00449ED0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0041FE832_2_0041FE83
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_00430F542_2_00430F54
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004050C23_2_004050C2
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004014AB3_2_004014AB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004051333_2_00405133
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004051A43_2_004051A4
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004012463_2_00401246
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_0040CA463_2_0040CA46
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004052353_2_00405235
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004032C83_2_004032C8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004222D93_2_004222D9
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004016893_2_00401689
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00402F603_2_00402F60
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 004169A7 appears 87 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 004165FF appears 35 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 00422297 appears 42 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 0044DB70 appears 41 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 00401E65 appears 34 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 00444B5A appears 37 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 00413025 appears 79 times
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: String function: 00416760 appears 69 times
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1701850166.0000000003651000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722771261.0000000000622000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120341681.00000000039FB000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722657937.00000000005CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeBinary or memory string: OriginalFileName vs 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeBinary or memory string: OriginalFilename vs 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7560, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7588, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/4@2/2
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,1_2_004182CE
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,3_2_00410DE1
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,1_2_00418758
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc0393949-KH667X
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\bhvAE0C.tmpJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: Software\0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: 0SG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: 0SG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: (TG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: HSG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: HSG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: RG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: licence0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: tMG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: `SG0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: Administrator0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: User0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSystem information queried: HandleInformationJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000002.00000002.1712571826.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120066851.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721430776.000000000083B000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000003.1720841983.000000000083B000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000003.1720989163.000000000083B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeReversingLabs: Detection: 84%
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                        Source: unknownProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe "C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe"
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hpzxkuitwfkmc"
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rreicntmjndrmhtg"
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\tlkadfdoxvvepopkutxk"
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hpzxkuitwfkmc"Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rreicntmjndrmhtg"Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\tlkadfdoxvvepopkutxk"Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: pstorec.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile opened: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.cfgJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                        Data Obfuscation

                        barindex
                        Detected unpacking (changes PE section rights)
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeUnpacked PE file: 1.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeUnpacked PE file: 2.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeUnpacked PE file: 3.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041C7F3 push eax; retf 0_2_0041C7FD
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_10002806 push ecx; ret 0_2_10002819
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_10009FD8 push esi; ret 0_2_10009FD9
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044693D push ecx; ret 1_2_0044694D
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044DB70 push eax; ret 1_2_0044DB84
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0044DB70 push eax; ret 1_2_0044DBAC
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00451D54 push eax; ret 1_2_00451D61
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0044B090 push eax; ret 2_2_0044B0A4
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_0044B090 push eax; ret 2_2_0044B0CC
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_00444E71 push ecx; ret 2_2_00444E81
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00414060 push eax; ret 3_2_00414074
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00414060 push eax; ret 3_2_0041409C
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00414039 push ecx; ret 3_2_00414049
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_004164EB push 0000006Ah; retf 3_2_004165C4
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00416553 push 0000006Ah; retf 3_2_004165C4
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00416555 push 0000006Ah; retf 3_2_004165C4
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,1_2_0040DD85
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeWindow / User API: threadDelayed 9308Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeWindow / User API: foregroundWindowGot 1765Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-52768
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeAPI coverage: 10.0 %
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe TID: 7460Thread sleep count: 177 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe TID: 7460Thread sleep time: -88500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe TID: 7464Thread sleep count: 255 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe TID: 7464Thread sleep time: -765000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe TID: 7464Thread sleep count: 9308 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe TID: 7464Thread sleep time: -27924000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_100010F1
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0040AE51 FindFirstFileW,FindNextFileW,1_2_0040AE51
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 2_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,2_2_00407EF8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 3_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00407898
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_00418981 memset,GetSystemInfo,1_2_00418981
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1700043589.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.000000000060C000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: bhvAE0C.tmp.1.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                        Source: bhvAE0C.tmp.1.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-54332
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,1_2_0040DD85
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h]0_2_10004AB4
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00411D39 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,0_2_00411D39
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_100060E2
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10002639
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10002B1C

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,0_2_0041812A
                        Maps a DLL or memory area into another process
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeSection loaded: NULL target: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe protection: execute and read and writeJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hpzxkuitwfkmc"Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rreicntmjndrmhtg"Jump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeProcess created: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\tlkadfdoxvvepopkutxk"Jump to behavior
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722657937.00000000005F4000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.0000000000604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [2024/10/20 13:28:55 Program Manager]
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.00000000005F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.0000000000604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.00000000005F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerm<'m
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.00000000005F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager)=
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.00000000005F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles\*"=
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722983778.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722983778.00000000005F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.0000000000604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerz
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F90C
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_0045201B
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004520B6
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452393
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448484
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004525C3
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: GetLocaleInfoW,0_2_0044896D
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 0_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0044942D
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: 1_2_0041739B GetVersionExW,1_2_0041739B
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4119976104.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7560, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7588, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: \key3.db0_2_0040BB6B
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Tries to steal Instant Messenger accounts or passwords
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                        Tries to steal Mail credentials (via file registry)
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: ESMTPPassword2_2_004033F0
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword2_2_00402DB3
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword2_2_00402DB3
                        Yara detected WebBrowserPassView password recovery tool
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 3.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4119976104.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7436, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7548, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7560, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe PID: 7588, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts13
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        Software Packing                        		2
                        Credentials in Registry                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        DLL Side-Loading                        		3
                        Credentials In Files                        		3
                        File and Directory Discovery                        		Distributed Component Object Model211
                        Input Capture                        		22
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                        Process Injection                        		1
                        Bypass User Account Control                        		LSA Secrets38
                        System Information Discovery                        		SSH3
                        Clipboard Data                        		Fallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials31
                        Security Software Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Virtualization/Sandbox Evasion                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation                        		Proc Filesystem4
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                        Process Injection                        		/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538197 Sample: 1729445225fa0e5768d1d682409... Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 21 janbours92harbu007.duckdns.org 2->21 23 geoplugin.net 2->23 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 37 9 other signatures 2->37 7 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe 3 16 2->7         started        signatures3 35 Uses dynamic DNS services 21->35 process4 dnsIp5 25 janbours92harbu007.duckdns.org 172.111.244.103, 3981, 49730, 49731 M247GB United States 7->25 27 geoplugin.net 178.237.33.50, 49732, 80 ATOM86-ASATOM86NL Netherlands 7->27 19 C:\ProgramData\remcos\logs.dat, data 7->19 dropped 39 Contains functionality to bypass UAC (CMSTPLUA) 7->39 41 Detected unpacking (changes PE section rights) 7->41 43 Tries to steal Mail credentials (via file registry) 7->43 45 8 other signatures 7->45 12 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe 1 7->12         started        15 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe 1 7->15         started        17 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe 2 7->17         started        file6 signatures7 process8 signatures9 47 Tries to steal Instant Messenger accounts or passwords 12->47 49 Tries to steal Mail credentials (via file / registry access) 12->49 51 Tries to harvest and steal browser information (history, passwords, etc) 15->51

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe84%ReversingLabsWin32.Backdoor.Remcos
                        1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.imvu.comr0%URL Reputationsafe
                        https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C0%URL Reputationsafe
                        https://login.yahoo.com/config/login0%URL Reputationsafe
                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
                        http://www.imvu.com0%URL Reputationsafe
                        http://geoplugin.net/json.gp0%URL Reputationsafe
                        http://www.ebuddy.com0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        janbours92harbu007.duckdns.org
                        		172.111.244.103
                        		truetrue
                          		unknown
                          geoplugin.net
                          		178.237.33.50
                          		truefalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            janbours92harbu007.duckdns.orgtrue
                              		unknown
                              http://geoplugin.net/json.gpfalse
                              • URL Reputation: safe
                              		unknown
                              Wealthabundance.duckdns.orgtrue
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.imvu.comr1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120341681.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=WbhvAE0C.tmp.1.drfalse
                                  		unknown
                                  http://www.imvu.comta1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000003.1714015326.000000000097D000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000003.1713988826.000000000097D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbadbhvAE0C.tmp.1.drfalse
                                      		unknown
                                      https://aefd.nelreports.net/api/report?cat=bingthbhvAE0C.tmp.1.drfalse
                                        		unknown
                                        https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fccbhvAE0C.tmp.1.drfalse
                                          		unknown
                                          http://www.nirsoft.net1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000001.00000002.1721137795.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://aefd.nelreports.net/api/report?cat=bingaotakbhvAE0C.tmp.1.drfalse
                                              		unknown
                                              https://deff.nelreports.net/api/report?cat=msnbhvAE0C.tmp.1.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&FrbhvAE0C.tmp.1.drfalse
                                                		unknown
                                                https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742bhvAE0C.tmp.1.drfalse
                                                  		unknown
                                                  https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&FrbhvAE0C.tmp.1.drfalse
                                                    		unknown
                                                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4120341681.00000000039E0000.00000040.10000000.00040000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		unknown
                                                      https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51bhvAE0C.tmp.1.drfalse
                                                        		unknown
                                                        https://www.google.com1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		unknown
                                                          https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950cbhvAE0C.tmp.1.drfalse
                                                            		unknown
                                                            http://geoplugin.net/json.gp/C1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exefalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://maps.windows.com/windows-app-web-linkbhvAE0C.tmp.1.drfalse
                                                              		unknown
                                                              https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvAE0C.tmp.1.drfalse
                                                                		unknown
                                                                https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8bhvAE0C.tmp.1.drfalse
                                                                  		unknown
                                                                  https://login.yahoo.com/config/login1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exefalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.nirsoft.net/1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816dbhvAE0C.tmp.1.drfalse
                                                                      		unknown
                                                                      http://geoplugin.net/json.gpRt1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1699766502.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1703507034.00000000005D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367dbhvAE0C.tmp.1.drfalse
                                                                          		unknown
                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgbhvAE0C.tmp.1.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.office.com/bhvAE0C.tmp.1.drfalse
                                                                            		unknown
                                                                            https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8bhvAE0C.tmp.1.drfalse
                                                                              		unknown
                                                                              https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68bhvAE0C.tmp.1.drfalse
                                                                                		unknown
                                                                                https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2bhvAE0C.tmp.1.drfalse
                                                                                  		unknown
                                                                                  https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8dbhvAE0C.tmp.1.drfalse
                                                                                    		unknown
                                                                                    https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437bhvAE0C.tmp.1.drfalse
                                                                                      		unknown
                                                                                      http://www.imvu.com1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000003.1714015326.000000000097D000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000003.1713988826.000000000097D000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://aefd.nelreports.net/api/report?cat=wsbbhvAE0C.tmp.1.drfalse
                                                                                        		unknown
                                                                                        https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326bhvAE0C.tmp.1.drfalse
                                                                                          		unknown
                                                                                          https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03bhvAE0C.tmp.1.drfalse
                                                                                            		unknown
                                                                                            https://aefd.nelreports.net/api/report?cat=bingaotbhvAE0C.tmp.1.drfalse
                                                                                              		unknown
                                                                                              https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-aebhvAE0C.tmp.1.drfalse
                                                                                                		unknown
                                                                                                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7bhvAE0C.tmp.1.drfalse
                                                                                                  		unknown
                                                                                                  https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFDbhvAE0C.tmp.1.drfalse
                                                                                                    		unknown
                                                                                                    http://geoplugin.net/json.gpes1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722983778.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1699766502.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1703507034.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000003.1722657937.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000000.00000002.4119674517.00000000005D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://aefd.nelreports.net/api/report?cat=bingrmsbhvAE0C.tmp.1.drfalse
                                                                                                        		unknown
                                                                                                        https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993bhvAE0C.tmp.1.drfalse
                                                                                                          		unknown
                                                                                                          https://www.google.com/accounts/servicelogin1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exefalse
                                                                                                            		unknown
                                                                                                            https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5bhvAE0C.tmp.1.drfalse
                                                                                                              		unknown
                                                                                                              https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3bhvAE0C.tmp.1.drfalse
                                                                                                                		unknown
                                                                                                                https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135bhvAE0C.tmp.1.drfalse
                                                                                                                  		unknown
                                                                                                                  https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59bhvAE0C.tmp.1.drfalse
                                                                                                                    		unknown
                                                                                                                    http://www.ebuddy.com1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, 00000003.00000002.1714550710.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    172.111.244.103
                                                                                                                    		janbours92harbu007.duckdns.orgUnited States
                                                                                                                    		9009M247GBtrue
                                                                                                                    178.237.33.50
                                                                                                                    		geoplugin.netNetherlands
                                                                                                                    		8455ATOM86-ASATOM86NLfalse

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1538197
                                                                                                                    Start date and time:2024-10-20 19:28:05 +02:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 7m 46s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:9
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@7/4@2/2
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 99%
                                                                                                                    • Number of executed functions: 139
                                                                                                                    • Number of non-executed functions: 304
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                    • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                    • VT rate limit hit for: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    13:29:27API Interceptor7702537x Sleep call for process: 1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe modified

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    172.111.244.103Quotation request YN2024-10-07pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                                      178.237.33.50duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                                      lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                                      172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • geoplugin.net/json.gp
                                                                                                                      SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • geoplugin.net/json.gp
                                                                                                                      SecuriteInfo.com.Variant.Ulise.323893.7366.1016.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                                      Ibnh3BCQSQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                                      nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                      • geoplugin.net/json.gp
                                                                                                                      rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • geoplugin.net/json.gp
                                                                                                                      Priority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • geoplugin.net/json.gp
                                                                                                                      SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • geoplugin.net/json.gp

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      geoplugin.net172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      Priority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      M247GBlsAXde4em3.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 128.0.1.24
                                                                                                                      la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 45.89.173.108
                                                                                                                      arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 38.202.225.93
                                                                                                                      JVxDWS9r3H.msiGet hashmaliciousMatanbuchusBrowse
                                                                                                                      • 193.109.85.43
                                                                                                                      YM10RsQfhm.msiGet hashmaliciousMatanbuchusBrowse
                                                                                                                      • 193.109.85.31
                                                                                                                      R7xCGuaxlx.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                      • 89.238.176.6
                                                                                                                      vYGwWQ2LHj.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 89.238.176.6
                                                                                                                      9IreEhm9Hk.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 89.238.176.6
                                                                                                                      vcMv4jkMH8.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                      • 89.238.176.6
                                                                                                                      SvrKcLn9o0.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 89.238.176.6
                                                                                                                      ATOM86-ASATOM86NLduEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      172926254156daf582728190320bacb622ccd105a50446fe4e74bbec68be10e3a78d1b71e6763.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      SKM_0001810-01-2024-GL-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      SecuriteInfo.com.Variant.Ulise.323893.7366.1016.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      Ibnh3BCQSQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      Priority_Quote_Request_Items_List.exeGet hashmaliciousRemcosBrowse
                                                                                                                      • 178.237.33.50
                                                                                                                      SKU_0001710-1-2024-SX-3762.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                      • 178.237.33.50

                                                                                                                      JA3 Fingerprints

                                                                                                                      No context

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\ProgramData\remcos\logs.dat

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):264
                                                                                                                      Entropy (8bit):3.4302117404069583
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:6lj0lWwlQ4b5YcIeeDAlMlj0lWwlQ6bWA7DxbN2fBMMm0v:6l4UKecml4U6bWItN25MMl
                                                                                                                      MD5:046AD8F65FEFC76565AB14A01A7875BC
                                                                                                                      SHA1:94C65CE9DA3912FECA596D78C522662E33AD17C9
                                                                                                                      SHA-256:A45B8A714074C4026900ED0B7A7EC29D3AE8D298AC54B24D5F8CD0923A539F41
                                                                                                                      SHA-512:3376738E01F91EC452CCE2A4ADE6674D39A982A5147C477DB4D8063E279C5F43A6F3835A8CD570BC67D68C67112228241D18116625B045002AAAFF878B9D3E84
                                                                                                                      Malicious:true
                                                                                                                      Yara Hits:
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Preview:....[.2.0.2.4./.1.0./.2.0. .1.3.:.2.8.:.5.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.0./.2.0. .1.3.:.2.8.:.5.5. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      File Type:JSON data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):974
                                                                                                                      Entropy (8bit):4.995209607410673
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12:tkWemnd6UGkMyGWKyGXPVGArwY34MaUHZGgArpv/mOAaNO+ao9W7iN5zzkw7+rGf:qWrdVauKyGX85pvXhNlT3/7+kjsro
                                                                                                                      MD5:50440AA5E9F219BCE78E626C5DA8DE79
                                                                                                                      SHA1:417B51FA88B962F82118A87BC7F297026B89287B
                                                                                                                      SHA-256:D0F28425FC4DA72A769A39E1F990E8EA8088C2BCB54CFAFD66493D03B3741F46
                                                                                                                      SHA-512:3266D918A5A3DF1A874431736EC03C76EA3B8996C0CF95C4C06AE639466F9DF0D56F70483CCA3881F1FC8F48FBD2F3642202503FA5A45B0B65525C386F8F1686
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:{. "geoplugin_request":"96.44.151.125",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Los Angeles",. "geoplugin_region":"California",. "geoplugin_regionCode":"CA",. "geoplugin_regionName":"California",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"803",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"33.956",. "geoplugin_longitude":"-118.3887",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                      C:\Users\user\AppData\Local\Temp\bhvAE0C.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5a82f026, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):20447232
                                                                                                                      Entropy (8bit):1.2830239344604952
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:12288:pRSPOhijljKhBfvKDv2G+555ckQB8WBbXnE:Wii9PDp+
                                                                                                                      MD5:BC13D7E10569C6F525A18B18B480A1C3
                                                                                                                      SHA1:4C74AAE956407CDB7D5A64ED1472400E95A0F0B1
                                                                                                                      SHA-256:AE570A92D9CD253380A3DE49581D18140E1834C0CE4D40CCFD64BF7C9ABD31C7
                                                                                                                      SHA-512:6B80DA50A0410C245C0751471F4E5A5B801A3B144E19B94CE5AA478E6852B267082C985043088894BE8EECA8DCF846CF05911EDCC2D0621B9AB6541388A85ECA
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:Z..&... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;.................................j3'!.....{...................3.......{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\hpzxkuitwfkmc

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2
                                                                                                                      Entropy (8bit):1.0
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Qn:Qn
                                                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                      Malicious:false
                                                                                                                      Reputation:high, very likely benign file
                                                                                                                      Preview:..

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):6.600235685337234
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      File size:494'592 bytes
                                                                                                                      MD5:848b4297cc3b325ab1f7cbf347b35624
                                                                                                                      SHA1:d809d80dab17186abd0bb9cd5b4c05d92d81e220
                                                                                                                      SHA256:6a8c2987ea059d7ad328722dfe1d8c7e08f257fbf3b7ef9dfd37b8e2f485840a
                                                                                                                      SHA512:471ed0a0dde27cd122b703c6ab218bee5b6d03f0733b0f80b329dd6a9195e484924d23fc9c9469a72b2470a4dc4cad76d98576dc24421b8d0ad8dd09eb0f17e6
                                                                                                                      SSDEEP:6144:W5zY+w1LqZBCxKedv//NEUn+N5hkf/0TE7RvIZ/jbsAORZzAXMcrKA4:W5k+Yqaxrh3Nln+N52fIA4jbsvZzhA4
                                                                                                                      TLSH:12B4AE01BAD2C072D57514300D3AF776EAB8BD201836497B73DA1D5BFE31190A72AAB7
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                                                                                                                      File Icon

                                                                                                                      Icon Hash:95694d05214c1b33

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x434a80
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x6710C0B1 [Thu Oct 17 07:45:53 2024 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:5
                                                                                                                      OS Version Minor:1
                                                                                                                      File Version Major:5
                                                                                                                      File Version Minor:1
                                                                                                                      Subsystem Version Major:5
                                                                                                                      Subsystem Version Minor:1
                                                                                                                      Import Hash:1389569a3a39186f3eb453b501cfe688

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      call 00007F498C5184CBh
                                                                                                                      jmp 00007F498C517F13h
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      sub esp, 00000324h
                                                                                                                      push ebx
                                                                                                                      push esi
                                                                                                                      push 00000017h
                                                                                                                      call 00007F498C53A763h
                                                                                                                      test eax, eax
                                                                                                                      je 00007F498C518087h
                                                                                                                      mov ecx, dword ptr [ebp+08h]
                                                                                                                      int 29h
                                                                                                                      xor esi, esi
                                                                                                                      lea eax, dword ptr [ebp-00000324h]
                                                                                                                      push 000002CCh
                                                                                                                      push esi
                                                                                                                      push eax
                                                                                                                      mov dword ptr [00471D14h], esi
                                                                                                                      call 00007F498C51A4D6h
                                                                                                                      add esp, 0Ch
                                                                                                                      mov dword ptr [ebp-00000274h], eax
                                                                                                                      mov dword ptr [ebp-00000278h], ecx
                                                                                                                      mov dword ptr [ebp-0000027Ch], edx
                                                                                                                      mov dword ptr [ebp-00000280h], ebx
                                                                                                                      mov dword ptr [ebp-00000284h], esi
                                                                                                                      mov dword ptr [ebp-00000288h], edi
                                                                                                                      mov word ptr [ebp-0000025Ch], ss
                                                                                                                      mov word ptr [ebp-00000268h], cs
                                                                                                                      mov word ptr [ebp-0000028Ch], ds
                                                                                                                      mov word ptr [ebp-00000290h], es
                                                                                                                      mov word ptr [ebp-00000294h], fs
                                                                                                                      mov word ptr [ebp-00000298h], gs
                                                                                                                      pushfd
                                                                                                                      pop dword ptr [ebp-00000264h]
                                                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                                                      mov dword ptr [ebp-0000026Ch], eax
                                                                                                                      lea eax, dword ptr [ebp+04h]
                                                                                                                      mov dword ptr [ebp-00000260h], eax
                                                                                                                      mov dword ptr [ebp-00000324h], 00010001h
                                                                                                                      mov eax, dword ptr [eax-04h]
                                                                                                                      push 00000050h
                                                                                                                      mov dword ptr [ebp-00000270h], eax
                                                                                                                      lea eax, dword ptr [ebp-58h]
                                                                                                                      push esi
                                                                                                                      push eax
                                                                                                                      call 00007F498C51A44Dh

                                                                                                                      Rich Headers

                                                                                                                      Programming Language:
                                                                                                                      • [C++] VS2008 SP1 build 30729
                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4b14.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x571f50x5720042490688bcf3aaa371282a7454b99e23False0.5716155173959828data6.625772280516175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rdata0x590000x179dc0x17a008c19f58f5a4e5f2d5359d54234473252False0.5008370535714286data5.862025333737917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .data0x710000x5d540xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0x790000x4b140x4c00292c643dff8014b388018aea7cb25f71False0.28058182565789475data3.9840030237476562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0x7e0000x3bc80x3c0071caad037f5f2070293ebf9ebb49e4e2False0.764453125data6.724383647387111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                                                                                      RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                                                                                      RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                                                                                      RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                                                                                      RT_RCDATA0x7d5cc0x508data1.0085403726708075
                                                                                                                      RT_GROUP_ICON0x7dad40x3edataEnglishUnited States0.8064516129032258

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                                                                                                      USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                                                                                                      GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                                                                                                      ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                                                                                                      SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                                                                                      ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                                                                                                      SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                                                                                                      WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                                                                                                      WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                                                                                                      urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                                                                                      gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                                                                                                      WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                                                                                      Possible Origin

                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      EnglishUnited States

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2024-10-20T19:28:57.477867+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449730172.111.244.1033981TCP
                                                                                                                      2024-10-20T19:28:59.679528+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449731172.111.244.1033981TCP
                                                                                                                      2024-10-20T19:29:00.449017+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449732178.237.33.5080TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Oct 20, 2024 19:28:56.302324057 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:56.307251930 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:56.307638884 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:56.320044994 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:56.325901031 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:57.436341047 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:57.477866888 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:57.596198082 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:57.600411892 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:57.605364084 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:57.605446100 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:57.610351086 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:57.949490070 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:57.951245070 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:57.956178904 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:58.110399961 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:58.136145115 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:58.141114950 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:58.141206980 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:58.165345907 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:58.180578947 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:58.185434103 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:59.396564960 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:28:59.401639938 CEST8049732178.237.33.50192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:59.401717901 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:28:59.401870012 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:28:59.406975985 CEST8049732178.237.33.50192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:59.672362089 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:59.679527998 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:59.685102940 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:59.685163021 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:28:59.690525055 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019361973 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019428015 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019464016 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019496918 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019536018 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019542933 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.019582987 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019608021 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.019618034 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019649029 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019659042 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.019682884 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019694090 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.019731998 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019768953 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.019781113 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.024674892 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.024734974 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.186739922 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.186779022 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.186814070 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.186847925 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.186855078 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.186882019 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.186902046 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.187118053 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.187150002 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.187170029 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.187184095 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.187216043 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.187230110 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.187267065 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.187314987 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.187925100 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.187973976 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.188011885 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.188024998 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.188044071 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.188076019 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.188092947 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.188895941 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.188945055 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.188946009 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.188981056 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.189011097 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.189038038 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.189044952 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.189090967 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.189655066 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.189687014 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.189729929 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.189745903 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.243381977 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.343508959 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349143982 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349198103 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349215984 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.349234104 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349267006 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349282980 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.349303007 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349358082 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.349406004 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349477053 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349536896 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.349766016 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349798918 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349833965 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349841118 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.349867105 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349909067 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.349910975 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.350311995 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.350351095 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.350361109 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.350392103 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.350425005 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.350441933 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.350460052 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.350506067 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.350847006 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.350895882 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.350940943 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.350949049 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.350981951 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351016045 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351027966 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.351048946 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351083994 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351100922 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.351752996 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351803064 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.351823092 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351859093 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351891041 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351912022 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.351924896 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351958036 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.351973057 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.351993084 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.352041006 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.352663040 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.352729082 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.352762938 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.352775097 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.352794886 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.352827072 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.352834940 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.352859974 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.352895021 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.352900982 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.353590012 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.353632927 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.353641987 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.353676081 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.353708029 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.353713989 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.353740931 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.353774071 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.353780031 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.399585962 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.448905945 CEST8049732178.237.33.50192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.449017048 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:29:00.501606941 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.506802082 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.506839037 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.506901979 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.506957054 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.506968975 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.506988049 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507033110 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.507039070 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507074118 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507106066 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507123947 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.507139921 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507172108 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507185936 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.507205009 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507246017 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.507256985 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507294893 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507342100 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.507941008 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.507992983 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508028030 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508044004 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.508060932 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508097887 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508104086 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.508517981 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508550882 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508567095 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.508603096 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508649111 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.508658886 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508692980 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508723974 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508735895 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.508759022 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508795023 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.508805037 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.509538889 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.509582996 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.509596109 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.509648085 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.509680033 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.509699106 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.509712934 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.509743929 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.509753942 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.509778023 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.509812117 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.509819984 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.510495901 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.510548115 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.510548115 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.510582924 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.510615110 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.510628939 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.510649920 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.510682106 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.510694027 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.510714054 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.510750055 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.510761023 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.511503935 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.511537075 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.511554003 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.511571884 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.511625051 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.511671066 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.511722088 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.511754990 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.511771917 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.511787891 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.511821032 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.511842966 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.512630939 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.512679100 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.512681007 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.512715101 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.512748003 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.512761116 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.512780905 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.512811899 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.512823105 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.512845039 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.512878895 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.512888908 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.513468981 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.513513088 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.513516903 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.513551950 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.513585091 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.513598919 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.513618946 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.513670921 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.514183998 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.514215946 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.514249086 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.514264107 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.514281034 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.514326096 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.514329910 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.514360905 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.514393091 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.514405966 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.514425993 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.514473915 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.515053988 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.515106916 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.515141010 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.515151024 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.515175104 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.515208960 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.515218973 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.515242100 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.515275955 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.515288115 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.515309095 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.515352011 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.516037941 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516088963 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516122103 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516133070 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.516154051 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516186953 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516196012 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.516217947 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516252041 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516259909 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.516836882 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516870022 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516886950 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.516906023 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516938925 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.516948938 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.571485043 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.657130003 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657169104 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657248974 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657311916 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657330036 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.657345057 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657378912 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657413960 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657413960 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.657448053 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657480001 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657485962 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.657514095 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.657516003 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.657579899 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.663986921 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664016962 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664067984 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664088964 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664100885 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664154053 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664176941 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664222956 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664257050 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664304018 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664304972 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664338112 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664370060 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664380074 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664423943 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664463997 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664474964 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664508104 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664541006 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664573908 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664583921 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664607048 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664624929 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664669991 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664681911 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664710045 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664752960 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664760113 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664793968 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664830923 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664839983 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664864063 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664896011 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664908886 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.664928913 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664961100 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.664973974 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.665019989 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.665051937 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.665070057 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.665086031 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.665113926 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.665132046 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.665146112 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.665178061 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.665213108 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.665225983 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.665261030 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673075914 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673147917 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673198938 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673198938 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673245907 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673299074 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673300982 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673331022 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673367977 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673376083 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673417091 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673450947 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673470020 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673482895 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673516035 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673527956 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673567057 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673614979 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673619032 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673650980 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673683882 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673708916 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673716068 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673753023 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673772097 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673785925 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673818111 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673825026 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673851967 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673886061 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673897982 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.673918962 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673950911 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.673964977 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674000978 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674050093 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674053907 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674093008 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674137115 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674144030 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674175978 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674222946 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674226999 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674258947 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674293041 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674310923 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674324989 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674360991 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674370050 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674392939 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674426079 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674439907 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674458027 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674490929 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674505949 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674524069 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674556017 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674571037 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674587965 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674621105 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674634933 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674653053 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674685955 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674698114 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.674721956 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.674781084 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.676218987 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676249027 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676299095 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.676302910 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676338911 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676388025 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676393986 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.676440001 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676471949 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676491976 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.676523924 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676556110 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676578045 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.676592112 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676624060 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676639080 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.676660061 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676692963 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676709890 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.676742077 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676774025 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676794052 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.676810026 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.676858902 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.678478003 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678535938 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678585052 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.678591013 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678642035 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678675890 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678689957 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.678709030 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678741932 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678755045 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.678793907 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678828001 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678842068 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.678859949 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678894997 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678911924 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.678927898 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678961039 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.678975105 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.678996086 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.679048061 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.681422949 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681473970 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681508064 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681528091 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.681560040 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681602955 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.681607008 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681639910 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681673050 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681685925 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.681705952 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681739092 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681750059 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.681772947 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681804895 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681822062 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.681838036 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681870937 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681885958 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.681905031 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.681952953 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.684638977 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.825731039 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.825778008 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.825833082 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.825838089 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.825874090 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.825921059 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.825927973 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.825961113 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.825994015 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826006889 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.826028109 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826078892 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.826081991 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826114893 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826148033 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826153994 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.826181889 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826215029 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826226950 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.826248884 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826283932 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.826294899 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.828811884 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.828872919 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.828892946 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.828926086 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.828970909 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.828979969 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829034090 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829067945 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829082012 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.829102993 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829135895 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829149008 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.829169035 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829200983 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829210997 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.829235077 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829267025 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829276085 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.829301119 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829334021 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829340935 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.829369068 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.829416037 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.832568884 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832626104 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832663059 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832669973 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.832700014 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832745075 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.832752943 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832803011 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832835913 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832859039 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.832865953 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832899094 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832915068 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.832932949 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832964897 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.832983971 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.832998991 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.833049059 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.833049059 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.833081961 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.833116055 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.833133936 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.838269949 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838305950 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838326931 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.838344097 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838391066 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.838397026 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838429928 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838464022 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838474035 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.838500023 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838546038 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.838901997 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838939905 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838974953 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.838992119 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.839010000 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.839044094 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.839054108 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.839076996 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.839109898 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.839124918 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.839143991 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.839176893 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.839195013 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.846715927 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.846786976 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.846788883 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.846824884 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.846858025 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.846875906 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.846893072 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.846925974 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.846942902 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.846963882 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.847013950 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.847805023 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.847902060 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.847954035 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.847970963 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.847987890 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.848023891 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.848051071 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.848066092 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.848103046 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.848117113 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.855185986 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.855243921 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.855245113 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.855299950 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.855334997 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.855353117 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.855367899 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.855415106 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.855422020 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.855458021 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.855508089 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.855998039 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.856033087 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.856066942 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.856084108 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.856117964 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.856152058 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.856163979 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.856184959 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.856219053 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.856232882 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.861788034 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.861821890 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.861857891 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.861874104 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.861906052 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.861938000 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.861941099 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.861974955 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.861984968 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.862025976 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862059116 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862072945 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.862093925 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862138033 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.862144947 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862179041 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862209082 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862222910 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.862242937 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862277031 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862291098 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.862313986 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.862361908 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.867516994 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.867579937 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.867614031 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.867631912 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.867692947 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.867726088 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.867743015 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.867759943 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.867795944 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.867808104 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.887630939 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887685061 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887729883 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.887737989 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887770891 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887789965 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.887825012 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887857914 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887872934 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.887892008 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887923956 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887948990 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.887958050 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.887991905 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888009071 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.888025999 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888057947 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888072014 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.888091087 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888125896 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888137102 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.888160944 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888192892 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888209105 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.888226032 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888257980 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888274908 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.888292074 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888328075 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.888334990 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.930836916 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.999608040 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.999641895 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.999691010 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:00.999692917 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.999728918 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.999758959 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:00.999777079 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:01.040195942 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:01.580166101 CEST8049732178.237.33.50192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:01.580260038 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:29:02.752966881 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:02.759072065 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759140015 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759145021 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:02.759170055 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759197950 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759224892 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759251118 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:02.759252071 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759279966 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759305954 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759341002 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.759960890 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.765212059 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.765239954 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.765355110 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.765382051 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.765424967 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.765451908 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.765479088 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.770585060 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:02.776715040 CEST398149731172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.776773930 CEST497313981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:02.783658028 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:02.796920061 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:02.802743912 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:32.803643942 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:29:32.805310011 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:29:32.810213089 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:30:02.825854063 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:30:02.883601904 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:30:02.937503099 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:30:02.942339897 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:30:32.852471113 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:30:32.853749037 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:30:32.858819008 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:30:48.493194103 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:30:48.851847887 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:30:49.539350986 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:30:50.851865053 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:30:53.351881981 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:30:58.351779938 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:31:02.955409050 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:31:02.960258007 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:31:02.965208054 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:31:08.039251089 CEST4973280192.168.2.4178.237.33.50
                                                                                                                      Oct 20, 2024 19:31:32.895941973 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:31:32.897284985 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:31:32.902069092 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:32:03.127204895 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:32:03.130305052 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:32:03.135323048 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:32:33.153954029 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:32:33.159310102 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:32:33.164141893 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:33:03.169966936 CEST398149730172.111.244.103192.168.2.4
                                                                                                                      Oct 20, 2024 19:33:03.171387911 CEST497303981192.168.2.4172.111.244.103
                                                                                                                      Oct 20, 2024 19:33:03.178124905 CEST398149730172.111.244.103192.168.2.4

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Oct 20, 2024 19:28:56.193335056 CEST6216053192.168.2.41.1.1.1
                                                                                                                      Oct 20, 2024 19:28:56.298367977 CEST53621601.1.1.1192.168.2.4
                                                                                                                      Oct 20, 2024 19:28:58.505265951 CEST5185753192.168.2.41.1.1.1
                                                                                                                      Oct 20, 2024 19:28:59.391537905 CEST53518571.1.1.1192.168.2.4

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Oct 20, 2024 19:28:56.193335056 CEST192.168.2.41.1.1.10x3749Standard query (0)janbours92harbu007.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                      Oct 20, 2024 19:28:58.505265951 CEST192.168.2.41.1.1.10x32a9Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Oct 20, 2024 19:28:56.298367977 CEST1.1.1.1192.168.2.40x3749No error (0)janbours92harbu007.duckdns.org172.111.244.103A (IP address)IN (0x0001)false
                                                                                                                      Oct 20, 2024 19:28:59.391537905 CEST1.1.1.1192.168.2.40x32a9No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • geoplugin.net

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.449732178.237.33.50807436C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Oct 20, 2024 19:28:59.401870012 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                      Host: geoplugin.net
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Oct 20, 2024 19:29:00.448905945 CEST1182INHTTP/1.1 200 OK
                                                                                                                      date: Sun, 20 Oct 2024 17:29:00 GMT
                                                                                                                      server: Apache
                                                                                                                      content-length: 974
                                                                                                                      content-type: application/json; charset=utf-8
                                                                                                                      cache-control: public, max-age=300
                                                                                                                      access-control-allow-origin: *
                                                                                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 39 36 2e 34 34 2e 31 35 31 2e 31 32 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 6f 73 20 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 2c [TRUNCATED]
                                                                                                                      Data Ascii: { "geoplugin_request":"96.44.151.125", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Los Angeles", "geoplugin_region":"California", "geoplugin_regionCode":"CA", "geoplugin_regionName":"California", "geoplugin_areaCode":"", "geoplugin_dmaCode":"803", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"33.956", "geoplugin_longitude":"-118.3887", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:13:28:55
                                                                                                                      Start date:20/10/2024
                                                                                                                      Path:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:494'592 bytes
                                                                                                                      MD5 hash:848B4297CC3B325AB1F7CBF347B35624
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1656487894.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4119674517.000000000058E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4119976104.00000000022BF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:1
                                                                                                                      Start time:13:29:00
                                                                                                                      Start date:20/10/2024
                                                                                                                      Path:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\hpzxkuitwfkmc"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:494'592 bytes
                                                                                                                      MD5 hash:848B4297CC3B325AB1F7CBF347B35624
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.1705384048.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:13:29:00
                                                                                                                      Start date:20/10/2024
                                                                                                                      Path:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\rreicntmjndrmhtg"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:494'592 bytes
                                                                                                                      MD5 hash:848B4297CC3B325AB1F7CBF347B35624
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000000.1709223068.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:13:29:00
                                                                                                                      Start date:20/10/2024
                                                                                                                      Path:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\tlkadfdoxvvepopkutxk"
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:494'592 bytes
                                                                                                                      MD5 hash:848B4297CC3B325AB1F7CBF347B35624
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000000.1712182777.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:5.2%
                                                                                                                        Dynamic/Decrypted Code Coverage:3.8%
                                                                                                                        Signature Coverage:18.4%
                                                                                                                        Total number of Nodes:1865
                                                                                                                        Total number of Limit Nodes:62
                                                                                                                        execution_graph 52310 415d41 52325 41b411 52310->52325 52312 415d4a 52336 4020f6 52312->52336 52317 4170c4 52360 401e8d 52317->52360 52321 401fd8 11 API calls 52322 4170d9 52321->52322 52323 401fd8 11 API calls 52322->52323 52324 4170e5 52323->52324 52366 4020df 52325->52366 52330 41b456 InternetReadFile 52334 41b479 52330->52334 52331 41b4a6 InternetCloseHandle InternetCloseHandle 52333 41b4b8 52331->52333 52333->52312 52334->52330 52334->52331 52335 401fd8 11 API calls 52334->52335 52377 4020b7 52334->52377 52335->52334 52337 40210c 52336->52337 52338 4023ce 11 API calls 52337->52338 52339 402126 52338->52339 52340 402569 28 API calls 52339->52340 52341 402134 52340->52341 52342 404aa1 52341->52342 52343 404ab4 52342->52343 52444 40520c 52343->52444 52345 404ac9 ctype 52346 404b40 WaitForSingleObject 52345->52346 52347 404b20 52345->52347 52349 404b56 52346->52349 52348 404b32 send 52347->52348 52350 404b7b 52348->52350 52450 4210cb 54 API calls 52349->52450 52352 401fd8 11 API calls 52350->52352 52354 404b83 52352->52354 52353 404b69 SetEvent 52353->52350 52355 401fd8 11 API calls 52354->52355 52356 404b8b 52355->52356 52356->52317 52357 401fd8 52356->52357 52358 4023ce 11 API calls 52357->52358 52359 401fe1 52358->52359 52359->52317 52361 402163 52360->52361 52365 40219f 52361->52365 52468 402730 11 API calls 52361->52468 52363 402184 52469 402712 11 API calls std::_Deallocate 52363->52469 52365->52321 52367 4020e7 52366->52367 52383 4023ce 52367->52383 52369 4020f2 52370 43bda0 52369->52370 52375 4461b8 __Getctype 52370->52375 52371 4461f6 52399 44062d 20 API calls __dosmaperr 52371->52399 52372 4461e1 RtlAllocateHeap 52374 41b42f InternetOpenW InternetOpenUrlW 52372->52374 52372->52375 52374->52330 52375->52371 52375->52372 52398 443001 7 API calls 2 library calls 52375->52398 52378 4020bf 52377->52378 52379 4023ce 11 API calls 52378->52379 52380 4020ca 52379->52380 52400 40250a 52380->52400 52382 4020d9 52382->52334 52384 402428 52383->52384 52385 4023d8 52383->52385 52384->52369 52385->52384 52387 4027a7 52385->52387 52388 402e21 52387->52388 52391 4016b4 52388->52391 52390 402e30 52390->52384 52392 4016cb 52391->52392 52396 4016c6 52391->52396 52393 4016f3 52392->52393 52392->52396 52393->52390 52395 43bd67 52397 43bd68 11 API calls _Atexit 52396->52397 52397->52395 52398->52375 52399->52374 52401 40251a 52400->52401 52402 402520 52401->52402 52403 402535 52401->52403 52407 402569 52402->52407 52417 4028e8 52403->52417 52406 402533 52406->52382 52428 402888 52407->52428 52409 40257d 52410 402592 52409->52410 52411 4025a7 52409->52411 52433 402a34 22 API calls 52410->52433 52412 4028e8 28 API calls 52411->52412 52416 4025a5 52412->52416 52414 40259b 52434 4029da 22 API calls 52414->52434 52416->52406 52418 4028f1 52417->52418 52419 402953 52418->52419 52420 4028fb 52418->52420 52442 4028a4 22 API calls 52419->52442 52423 402904 52420->52423 52424 402917 52420->52424 52436 402cae 52423->52436 52425 402915 52424->52425 52427 4023ce 11 API calls 52424->52427 52425->52406 52427->52425 52429 402890 52428->52429 52430 402898 52429->52430 52435 402ca3 22 API calls 52429->52435 52430->52409 52433->52414 52434->52416 52437 402cb8 __EH_prolog 52436->52437 52443 402e54 22 API calls 52437->52443 52439 4023ce 11 API calls 52441 402d92 52439->52441 52440 402d24 52440->52439 52441->52425 52443->52440 52445 405214 52444->52445 52446 4023ce 11 API calls 52445->52446 52447 40521f 52446->52447 52451 405234 52447->52451 52449 40522e 52449->52345 52450->52353 52452 405240 52451->52452 52453 40526e 52451->52453 52454 4028e8 28 API calls 52452->52454 52467 4028a4 22 API calls 52453->52467 52456 40524a 52454->52456 52456->52449 52468->52363 52469->52365 52470 1000c7a7 52471 1000c7be 52470->52471 52475 1000c82c 52470->52475 52471->52475 52482 1000c7e6 GetModuleHandleA 52471->52482 52473 1000c872 52474 1000c835 GetModuleHandleA 52476 1000c83f 52474->52476 52475->52473 52475->52474 52475->52476 52476->52475 52477 1000c85f GetProcAddress 52476->52477 52477->52475 52478 1000c7dd 52478->52475 52478->52476 52479 1000c800 GetProcAddress 52478->52479 52479->52475 52480 1000c80d VirtualProtect 52479->52480 52480->52475 52481 1000c81c VirtualProtect 52480->52481 52481->52475 52483 1000c7ef 52482->52483 52490 1000c82c 52482->52490 52494 1000c803 GetProcAddress 52483->52494 52485 1000c7f4 52488 1000c800 GetProcAddress 52485->52488 52485->52490 52486 1000c872 52487 1000c835 GetModuleHandleA 52492 1000c83f 52487->52492 52489 1000c80d VirtualProtect 52488->52489 52488->52490 52489->52490 52491 1000c81c VirtualProtect 52489->52491 52490->52486 52490->52487 52490->52492 52491->52490 52492->52490 52493 1000c85f GetProcAddress 52492->52493 52493->52490 52495 1000c82c 52494->52495 52496 1000c80d VirtualProtect 52494->52496 52498 1000c872 52495->52498 52499 1000c835 GetModuleHandleA 52495->52499 52496->52495 52497 1000c81c VirtualProtect 52496->52497 52497->52495 52501 1000c83f 52499->52501 52500 1000c85f GetProcAddress 52500->52501 52501->52495 52501->52500 52502 43bea8 52505 43beb4 _swprintf ___BuildCatchObject 52502->52505 52503 43bec2 52518 44062d 20 API calls __dosmaperr 52503->52518 52505->52503 52506 43beec 52505->52506 52513 445909 EnterCriticalSection 52506->52513 52508 43bef7 52514 43bf98 52508->52514 52510 43bec7 ___BuildCatchObject __wsopen_s 52513->52508 52515 43bfa6 52514->52515 52517 43bf02 52515->52517 52520 4497ec 37 API calls 2 library calls 52515->52520 52519 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 52517->52519 52518->52510 52519->52510 52520->52515 52521 41e04e 52522 41e063 ctype ___scrt_get_show_window_mode 52521->52522 52523 41e266 52522->52523 52524 432f55 21 API calls 52522->52524 52529 41e21a 52523->52529 52535 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 52523->52535 52528 41e213 ___scrt_get_show_window_mode 52524->52528 52526 41e277 52526->52529 52536 432f55 52526->52536 52528->52529 52530 432f55 21 API calls 52528->52530 52533 41e240 ___scrt_get_show_window_mode 52530->52533 52531 41e2b0 ___scrt_get_show_window_mode 52531->52529 52541 4335db 52531->52541 52533->52529 52534 432f55 21 API calls 52533->52534 52534->52523 52535->52526 52537 432f63 52536->52537 52538 432f5f 52536->52538 52539 43bda0 new 21 API calls 52537->52539 52538->52531 52540 432f68 52539->52540 52540->52531 52544 4334fa 52541->52544 52543 4335e3 52543->52529 52545 433513 52544->52545 52549 433509 52544->52549 52546 432f55 21 API calls 52545->52546 52545->52549 52547 433534 52546->52547 52547->52549 52550 4338c8 CryptAcquireContextA 52547->52550 52549->52543 52551 4338e9 CryptGenRandom 52550->52551 52552 4338e4 52550->52552 52551->52552 52553 4338fe CryptReleaseContext 52551->52553 52552->52549 52553->52552 52554 426c6d 52560 426d42 recv 52554->52560 52561 426a77 52562 426a8c 52561->52562 52569 426b1e 52561->52569 52563 426bd5 52562->52563 52564 426ad9 52562->52564 52565 426b4e 52562->52565 52566 426bae 52562->52566 52562->52569 52571 426b83 52562->52571 52575 426b0e 52562->52575 52589 424f6e 49 API calls ctype 52562->52589 52563->52569 52594 4261e6 28 API calls 52563->52594 52564->52569 52564->52575 52590 41fbfd 52 API calls 52564->52590 52565->52569 52565->52571 52592 41fbfd 52 API calls 52565->52592 52566->52563 52566->52569 52577 425b72 52566->52577 52571->52566 52593 425781 21 API calls 52571->52593 52575->52565 52575->52569 52591 424f6e 49 API calls ctype 52575->52591 52578 425b91 ___scrt_get_show_window_mode 52577->52578 52580 425ba0 52578->52580 52584 425bc5 52578->52584 52595 41ec4c 21 API calls 52578->52595 52580->52584 52588 425ba5 52580->52588 52596 420669 46 API calls 52580->52596 52583 425bae 52583->52584 52598 424d96 21 API calls 2 library calls 52583->52598 52584->52563 52586 425c48 52586->52584 52587 432f55 21 API calls 52586->52587 52587->52588 52588->52583 52588->52584 52597 41daf0 49 API calls 52588->52597 52589->52564 52590->52564 52591->52565 52592->52565 52593->52566 52594->52569 52595->52580 52596->52586 52597->52583 52598->52584 52599 4437fd 52600 443806 52599->52600 52601 44381f 52599->52601 52602 44380e 52600->52602 52606 443885 52600->52606 52604 443816 52604->52602 52617 443b52 22 API calls 2 library calls 52604->52617 52607 443891 52606->52607 52608 44388e 52606->52608 52618 44f45d GetEnvironmentStringsW 52607->52618 52608->52604 52611 44389e 52613 446802 _free 20 API calls 52611->52613 52614 4438d3 52613->52614 52614->52604 52615 4438a9 52626 446802 52615->52626 52617->52601 52619 44f471 52618->52619 52620 443898 52618->52620 52632 4461b8 52619->52632 52620->52611 52625 4439aa 26 API calls 3 library calls 52620->52625 52622 44f485 ctype 52623 446802 _free 20 API calls 52622->52623 52624 44f49f FreeEnvironmentStringsW 52623->52624 52624->52620 52625->52615 52627 44680d RtlFreeHeap 52626->52627 52628 446836 _free 52626->52628 52627->52628 52629 446822 52627->52629 52628->52611 52641 44062d 20 API calls __dosmaperr 52629->52641 52631 446828 GetLastError 52631->52628 52633 4461f6 52632->52633 52637 4461c6 __Getctype 52632->52637 52640 44062d 20 API calls __dosmaperr 52633->52640 52634 4461e1 RtlAllocateHeap 52636 4461f4 52634->52636 52634->52637 52636->52622 52637->52633 52637->52634 52639 443001 7 API calls 2 library calls 52637->52639 52639->52637 52640->52636 52641->52631 52642 4165db 52653 401e65 52642->52653 52644 4165eb 52645 4020f6 28 API calls 52644->52645 52646 4165f6 52645->52646 52647 401e65 22 API calls 52646->52647 52648 416601 52647->52648 52649 4020f6 28 API calls 52648->52649 52650 41660c 52649->52650 52658 412965 52650->52658 52654 401e6d 52653->52654 52655 401e75 52654->52655 52677 402158 22 API calls 52654->52677 52655->52644 52678 40482d 52658->52678 52660 412979 52685 4048c8 connect 52660->52685 52664 41299a 52750 402f10 52664->52750 52667 404aa1 61 API calls 52668 4129ae 52667->52668 52669 401fd8 11 API calls 52668->52669 52670 4129b6 52669->52670 52755 404c10 52670->52755 52673 401fd8 11 API calls 52674 4129cc 52673->52674 52675 401fd8 11 API calls 52674->52675 52676 4129d4 52675->52676 52679 404846 socket 52678->52679 52680 404839 52678->52680 52681 404860 CreateEventW 52679->52681 52682 404842 52679->52682 52773 40489e WSAStartup 52680->52773 52681->52660 52682->52660 52684 40483e 52684->52679 52684->52682 52686 404a1b 52685->52686 52687 4048ee 52685->52687 52688 404a21 WSAGetLastError 52686->52688 52738 40497e 52686->52738 52689 404923 52687->52689 52687->52738 52774 40531e 52687->52774 52690 404a31 52688->52690 52688->52738 52809 420cf1 27 API calls 52689->52809 52692 404932 52690->52692 52693 404a36 52690->52693 52698 402093 28 API calls 52692->52698 52814 41cb72 30 API calls 52693->52814 52695 40490f 52779 402093 52695->52779 52697 40492b 52697->52692 52701 404941 52697->52701 52702 404a80 52698->52702 52700 404a40 52815 4052fd 28 API calls 52700->52815 52708 404950 52701->52708 52709 404987 52701->52709 52705 402093 28 API calls 52702->52705 52710 404a8f 52705->52710 52712 402093 28 API calls 52708->52712 52811 421ad1 54 API calls 52709->52811 52713 41b580 80 API calls 52710->52713 52716 40495f 52712->52716 52713->52738 52722 402093 28 API calls 52716->52722 52717 40498f 52719 4049c4 52717->52719 52720 404994 52717->52720 52813 420e97 28 API calls 52719->52813 52723 402093 28 API calls 52720->52723 52725 40496e 52722->52725 52727 4049a3 52723->52727 52728 41b580 80 API calls 52725->52728 52730 402093 28 API calls 52727->52730 52743 404973 52728->52743 52729 4049cc 52731 4049f9 CreateEventW CreateEventW 52729->52731 52733 402093 28 API calls 52729->52733 52732 4049b2 52730->52732 52731->52738 52734 41b580 80 API calls 52732->52734 52736 4049e2 52733->52736 52737 4049b7 52734->52737 52739 402093 28 API calls 52736->52739 52812 421143 52 API calls 52737->52812 52745 402f31 52738->52745 52740 4049f1 52739->52740 52742 41b580 80 API calls 52740->52742 52744 4049f6 52742->52744 52810 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52743->52810 52744->52731 52746 4020df 11 API calls 52745->52746 52747 402f3d 52746->52747 52748 4032a0 28 API calls 52747->52748 52749 402f59 52748->52749 52749->52664 52866 401fb0 52750->52866 52752 402f1e 52753 402055 11 API calls 52752->52753 52754 402f2d 52753->52754 52754->52667 52756 4020df 11 API calls 52755->52756 52757 404c27 52756->52757 52758 4020df 11 API calls 52757->52758 52768 404c30 52758->52768 52759 43bda0 new 21 API calls 52759->52768 52761 4020b7 28 API calls 52761->52768 52762 404ca1 52896 404e26 WaitForSingleObject 52762->52896 52766 401fd8 11 API calls 52766->52768 52767 401fd8 11 API calls 52769 404cb1 52767->52769 52768->52759 52768->52761 52768->52762 52768->52766 52869 404b96 52768->52869 52875 401fe2 52768->52875 52884 404cc3 52768->52884 52770 401fd8 11 API calls 52769->52770 52771 404cba 52770->52771 52771->52673 52773->52684 52775 4020df 11 API calls 52774->52775 52776 40532a 52775->52776 52816 4032a0 52776->52816 52778 405346 52778->52695 52780 40209b 52779->52780 52781 4023ce 11 API calls 52780->52781 52782 4020a6 52781->52782 52820 4024ed 52782->52820 52785 41b580 52786 41b631 52785->52786 52787 41b596 GetLocalTime 52785->52787 52789 401fd8 11 API calls 52786->52789 52788 40531e 28 API calls 52787->52788 52790 41b5d8 52788->52790 52791 41b639 52789->52791 52824 406383 52790->52824 52793 401fd8 11 API calls 52791->52793 52795 41b641 52793->52795 52795->52689 52796 402f10 28 API calls 52797 41b5f0 52796->52797 52798 406383 28 API calls 52797->52798 52799 41b5fc 52798->52799 52829 40723b 77 API calls 52799->52829 52801 41b60a 52802 401fd8 11 API calls 52801->52802 52803 41b616 52802->52803 52804 401fd8 11 API calls 52803->52804 52805 41b61f 52804->52805 52806 401fd8 11 API calls 52805->52806 52807 41b628 52806->52807 52808 401fd8 11 API calls 52807->52808 52808->52786 52809->52697 52810->52738 52811->52717 52812->52743 52813->52729 52814->52700 52818 4032aa 52816->52818 52817 4032c9 52817->52778 52818->52817 52819 4028e8 28 API calls 52818->52819 52819->52817 52821 4024f9 52820->52821 52822 40250a 28 API calls 52821->52822 52823 4020b1 52822->52823 52823->52785 52830 4051ef 52824->52830 52826 406391 52834 402055 52826->52834 52829->52801 52831 4051fb 52830->52831 52840 405274 52831->52840 52833 405208 52833->52826 52835 402061 52834->52835 52836 4023ce 11 API calls 52835->52836 52837 40207b 52836->52837 52862 40267a 52837->52862 52841 405282 52840->52841 52842 405288 52841->52842 52843 40529e 52841->52843 52851 4025f0 52842->52851 52845 4052f5 52843->52845 52846 4052b6 52843->52846 52860 4028a4 22 API calls 52845->52860 52849 4028e8 28 API calls 52846->52849 52850 40529c 52846->52850 52849->52850 52850->52833 52852 402888 22 API calls 52851->52852 52853 402602 52852->52853 52854 402672 52853->52854 52855 402629 52853->52855 52861 4028a4 22 API calls 52854->52861 52858 4028e8 28 API calls 52855->52858 52859 40263b 52855->52859 52858->52859 52859->52850 52863 40268b 52862->52863 52864 4023ce 11 API calls 52863->52864 52865 40208d 52864->52865 52865->52796 52867 4025f0 28 API calls 52866->52867 52868 401fbd 52867->52868 52868->52752 52870 404ba0 WaitForSingleObject 52869->52870 52871 404bcd recv 52869->52871 52909 421107 54 API calls 52870->52909 52873 404be0 52871->52873 52873->52768 52874 404bbc SetEvent 52874->52873 52876 401ff1 52875->52876 52877 402039 52875->52877 52878 4023ce 11 API calls 52876->52878 52877->52768 52879 401ffa 52878->52879 52880 40203c 52879->52880 52881 402015 52879->52881 52882 40267a 11 API calls 52880->52882 52910 403098 28 API calls 52881->52910 52882->52877 52885 4020df 11 API calls 52884->52885 52895 404cde 52885->52895 52886 404e13 52887 401fd8 11 API calls 52886->52887 52888 404e1c 52887->52888 52888->52768 52889 4041a2 28 API calls 52889->52895 52890 401fe2 28 API calls 52890->52895 52891 401fd8 11 API calls 52891->52895 52892 4020f6 28 API calls 52892->52895 52895->52886 52895->52889 52895->52890 52895->52891 52895->52892 52911 401fc0 52895->52911 52897 404e40 SetEvent CloseHandle 52896->52897 52898 404e57 closesocket 52896->52898 52899 404ca8 52897->52899 52900 404e64 52898->52900 52899->52767 52901 404e7a 52900->52901 53202 4050e4 84 API calls 52900->53202 52903 404e8c WaitForSingleObject 52901->52903 52904 404ece SetEvent CloseHandle 52901->52904 53203 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52903->53203 52904->52899 52906 404e9b SetEvent WaitForSingleObject 53204 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 52906->53204 52908 404eb3 SetEvent CloseHandle CloseHandle 52908->52904 52909->52874 52910->52877 52912 401fd2 CreateEventA CreateThread WaitForSingleObject CloseHandle 52911->52912 52913 401fc9 52911->52913 52912->52895 52916 415b25 52912->52916 52915 4025e0 28 API calls 52913->52915 52915->52912 52917 4020f6 28 API calls 52916->52917 52918 415b47 SetEvent 52917->52918 52919 415b5c 52918->52919 52995 4041a2 52919->52995 52922 4020f6 28 API calls 52923 415b86 52922->52923 52924 4020f6 28 API calls 52923->52924 52925 415b98 52924->52925 52998 41beac 52925->52998 52928 415bc1 GetTickCount 53020 41bc1f 52928->53020 52929 415d20 52992 415d11 52929->52992 52993 415d34 52929->52993 52930 401e8d 11 API calls 52932 4170cd 52930->52932 52935 401fd8 11 API calls 52932->52935 52937 4170d9 52935->52937 52939 401fd8 11 API calls 52937->52939 52938 415bde 52940 41bc1f 28 API calls 52938->52940 52941 4170e5 52939->52941 52942 415be9 52940->52942 53026 41bb27 52942->53026 52947 401e65 22 API calls 52948 415c13 52947->52948 52949 402f31 28 API calls 52948->52949 52950 415c21 52949->52950 53035 402ea1 52950->53035 52953 402f10 28 API calls 52954 415c3f 52953->52954 52955 402ea1 28 API calls 52954->52955 52956 415c4e 52955->52956 52957 402f10 28 API calls 52956->52957 52958 415c5a 52957->52958 52959 402ea1 28 API calls 52958->52959 52960 415c64 52959->52960 52961 404aa1 61 API calls 52960->52961 52962 415c73 52961->52962 52963 401fd8 11 API calls 52962->52963 52964 415c7c 52963->52964 52965 401fd8 11 API calls 52964->52965 52966 415c88 52965->52966 52967 401fd8 11 API calls 52966->52967 52968 415c94 52967->52968 52969 401fd8 11 API calls 52968->52969 52970 415ca0 52969->52970 52971 401fd8 11 API calls 52970->52971 52972 415cac 52971->52972 52973 401fd8 11 API calls 52972->52973 52974 415cb8 52973->52974 53044 401f09 52974->53044 52977 401fd8 11 API calls 52978 415cca 52977->52978 52979 401fd8 11 API calls 52978->52979 52980 415cd3 52979->52980 52981 401e65 22 API calls 52980->52981 52982 415cde 52981->52982 53047 43bb2c 52982->53047 52985 415cf0 52988 415d09 52985->52988 52989 415cfe 52985->52989 52986 415d16 52987 401e65 22 API calls 52986->52987 52987->52929 53052 404f51 52988->53052 53051 404ff4 82 API calls 52989->53051 52992->52930 53067 4050e4 84 API calls 52993->53067 52994 415d04 52994->52992 53068 40423a 52995->53068 52999 4020df 11 API calls 52998->52999 53000 41bebf 52999->53000 53004 41bf31 53000->53004 53007 4041a2 28 API calls 53000->53007 53012 401fe2 28 API calls 53000->53012 53014 401fd8 11 API calls 53000->53014 53019 41bf2f 53000->53019 53074 41cec5 53000->53074 53001 401fd8 11 API calls 53002 41bf61 53001->53002 53003 401fd8 11 API calls 53002->53003 53005 41bf69 53003->53005 53006 4041a2 28 API calls 53004->53006 53008 401fd8 11 API calls 53005->53008 53009 41bf3d 53006->53009 53007->53000 53010 415ba1 53008->53010 53011 401fe2 28 API calls 53009->53011 53010->52928 53010->52929 53010->52992 53013 41bf46 53011->53013 53012->53000 53015 401fd8 11 API calls 53013->53015 53014->53000 53016 41bf4e 53015->53016 53017 41cec5 28 API calls 53016->53017 53017->53019 53019->53001 53110 441ed1 53020->53110 53023 402093 28 API calls 53024 415bd2 53023->53024 53025 41bb77 GetLastInputInfo GetTickCount 53024->53025 53025->52938 53119 436f10 53026->53119 53031 41bdaf 53032 41bdbc 53031->53032 53033 4020b7 28 API calls 53032->53033 53034 415c05 53033->53034 53034->52947 53041 402eb0 53035->53041 53036 402ef2 53037 401fb0 28 API calls 53036->53037 53038 402ef0 53037->53038 53039 402055 11 API calls 53038->53039 53040 402f09 53039->53040 53040->52953 53041->53036 53042 402ee7 53041->53042 53168 403365 28 API calls 53042->53168 53045 402252 11 API calls 53044->53045 53046 401f12 53045->53046 53046->52977 53048 43bb45 _swprintf 53047->53048 53169 43ae83 53048->53169 53050 415ceb 53050->52985 53050->52986 53051->52994 53053 404f65 53052->53053 53054 404fea 53052->53054 53055 404f6e 53053->53055 53056 404fc0 CreateEventA CreateThread 53053->53056 53057 404f7d GetLocalTime 53053->53057 53054->52992 53055->53056 53056->53054 53198 405150 53056->53198 53058 41bc1f 28 API calls 53057->53058 53059 404f91 53058->53059 53197 4052fd 28 API calls 53059->53197 53067->52994 53069 404243 53068->53069 53070 4023ce 11 API calls 53069->53070 53071 40424e 53070->53071 53072 402569 28 API calls 53071->53072 53073 4041b5 53072->53073 53073->52922 53075 41ced2 53074->53075 53076 41cf31 53075->53076 53080 41cee2 53075->53080 53077 41cf4b 53076->53077 53078 41d071 28 API calls 53076->53078 53094 41d1d7 28 API calls 53077->53094 53078->53077 53081 41cf1a 53080->53081 53085 41d071 53080->53085 53093 41d1d7 28 API calls 53081->53093 53082 41cf2d 53082->53000 53087 41d079 53085->53087 53086 41d0ab 53086->53081 53087->53086 53088 41d0af 53087->53088 53091 41d093 53087->53091 53105 402725 22 API calls 53088->53105 53095 41d0e2 53091->53095 53093->53082 53094->53082 53096 41d0ec __EH_prolog 53095->53096 53106 402717 22 API calls 53096->53106 53098 41d0ff 53107 41d1ee 11 API calls 53098->53107 53100 41d125 53101 41d15d 53100->53101 53108 402730 11 API calls 53100->53108 53101->53086 53103 41d144 53109 402712 11 API calls std::_Deallocate 53103->53109 53106->53098 53107->53100 53108->53103 53109->53101 53111 441edd 53110->53111 53114 441ccd 53111->53114 53113 41bc43 53113->53023 53115 441ce4 53114->53115 53117 441d1b __wsopen_s 53115->53117 53118 44062d 20 API calls __dosmaperr 53115->53118 53117->53113 53118->53117 53120 41bb46 GetForegroundWindow GetWindowTextW 53119->53120 53121 40417e 53120->53121 53122 404186 53121->53122 53127 402252 53122->53127 53124 404191 53131 4041bc 53124->53131 53128 40225c 53127->53128 53129 4022ac 53127->53129 53128->53129 53135 402779 11 API calls std::_Deallocate 53128->53135 53129->53124 53132 4041c8 53131->53132 53136 4041d9 53132->53136 53134 40419c 53134->53031 53135->53129 53137 4041e9 53136->53137 53138 404206 53137->53138 53139 4041ef 53137->53139 53153 4027e6 53138->53153 53143 404267 53139->53143 53142 404204 53142->53134 53144 402888 22 API calls 53143->53144 53145 40427b 53144->53145 53146 404290 53145->53146 53147 4042a5 53145->53147 53164 4042df 22 API calls 53146->53164 53148 4027e6 28 API calls 53147->53148 53152 4042a3 53148->53152 53150 404299 53165 402c48 22 API calls 53150->53165 53152->53142 53154 4027ef 53153->53154 53155 402851 53154->53155 53156 4027f9 53154->53156 53167 4028a4 22 API calls 53155->53167 53159 402802 53156->53159 53160 402815 53156->53160 53166 402aea 28 API calls __EH_prolog 53159->53166 53161 402813 53160->53161 53163 402252 11 API calls 53160->53163 53161->53142 53163->53161 53164->53150 53165->53152 53166->53161 53168->53038 53185 43ba8a 53169->53185 53171 43aed0 53191 43a837 36 API calls 2 library calls 53171->53191 53172 43ae95 53172->53171 53173 43aeaa 53172->53173 53184 43aeaf __wsopen_s 53172->53184 53190 44062d 20 API calls __dosmaperr 53173->53190 53177 43aedc 53178 43af0b 53177->53178 53192 43bacf 40 API calls __Tolower 53177->53192 53181 43af77 53178->53181 53193 43ba36 20 API calls 2 library calls 53178->53193 53194 43ba36 20 API calls 2 library calls 53181->53194 53182 43b03e _swprintf 53182->53184 53195 44062d 20 API calls __dosmaperr 53182->53195 53184->53050 53186 43baa2 53185->53186 53187 43ba8f 53185->53187 53186->53172 53196 44062d 20 API calls __dosmaperr 53187->53196 53189 43ba94 __wsopen_s 53189->53172 53190->53184 53191->53177 53192->53177 53193->53181 53194->53182 53195->53184 53196->53189 53201 40515c 102 API calls 53198->53201 53200 405159 53201->53200 53202->52901 53203->52906 53204->52908 53205 434918 53206 434924 ___BuildCatchObject 53205->53206 53232 434627 53206->53232 53208 43492b 53210 434954 53208->53210 53530 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 53208->53530 53215 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 53210->53215 53531 4442d2 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 53210->53531 53212 43496d 53214 434973 ___BuildCatchObject 53212->53214 53532 444276 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 53212->53532 53216 4349f3 53215->53216 53533 443487 36 API calls 6 library calls 53215->53533 53243 434ba5 53216->53243 53225 434a15 53226 434a1f 53225->53226 53535 4434bf 28 API calls _Atexit 53225->53535 53228 434a28 53226->53228 53536 443462 28 API calls _Atexit 53226->53536 53537 43479e 13 API calls 2 library calls 53228->53537 53231 434a30 53231->53214 53233 434630 53232->53233 53538 434cb6 IsProcessorFeaturePresent 53233->53538 53235 43463c 53539 438fb1 10 API calls 4 library calls 53235->53539 53237 434641 53242 434645 53237->53242 53540 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 53237->53540 53239 43464e 53240 43465c 53239->53240 53541 438fda 8 API calls 3 library calls 53239->53541 53240->53208 53242->53208 53244 436f10 ___scrt_get_show_window_mode 53243->53244 53245 434bb8 GetStartupInfoW 53244->53245 53246 4349f9 53245->53246 53247 444223 53246->53247 53542 44f0d9 53247->53542 53249 434a02 53252 40ea00 53249->53252 53250 44422c 53250->53249 53546 446895 36 API calls 53250->53546 53548 41cbe1 LoadLibraryA GetProcAddress 53252->53548 53254 40ea1c GetModuleFileNameW 53553 40f3fe 53254->53553 53256 40ea38 53257 4020f6 28 API calls 53256->53257 53258 40ea47 53257->53258 53259 4020f6 28 API calls 53258->53259 53260 40ea56 53259->53260 53261 41beac 28 API calls 53260->53261 53262 40ea5f 53261->53262 53568 40fb52 53262->53568 53264 40ea68 53265 401e8d 11 API calls 53264->53265 53266 40ea71 53265->53266 53267 40ea84 53266->53267 53268 40eace 53266->53268 53762 40fbee 97 API calls 53267->53762 53269 401e65 22 API calls 53268->53269 53272 40eade 53269->53272 53271 40ea96 53273 401e65 22 API calls 53271->53273 53275 401e65 22 API calls 53272->53275 53274 40eaa2 53273->53274 53763 410f72 36 API calls __EH_prolog 53274->53763 53276 40eafd 53275->53276 53277 40531e 28 API calls 53276->53277 53279 40eb0c 53277->53279 53281 406383 28 API calls 53279->53281 53280 40eab4 53764 40fb9f 78 API calls 53280->53764 53283 40eb18 53281->53283 53285 401fe2 28 API calls 53283->53285 53284 40eabd 53765 40f3eb 71 API calls 53284->53765 53287 40eb24 53285->53287 53288 401fd8 11 API calls 53287->53288 53289 40eb2d 53288->53289 53291 401fd8 11 API calls 53289->53291 53290 401fd8 11 API calls 53292 40ef36 53290->53292 53293 40eb36 53291->53293 53534 443396 GetModuleHandleW 53292->53534 53294 401e65 22 API calls 53293->53294 53295 40eb3f 53294->53295 53296 401fc0 28 API calls 53295->53296 53297 40eb4a 53296->53297 53298 401e65 22 API calls 53297->53298 53299 40eb63 53298->53299 53300 401e65 22 API calls 53299->53300 53301 40eb7e 53300->53301 53302 40ebe9 53301->53302 53766 406c59 53301->53766 53303 401e65 22 API calls 53302->53303 53308 40ebf6 53303->53308 53305 40ebab 53306 401fe2 28 API calls 53305->53306 53307 40ebb7 53306->53307 53310 401fd8 11 API calls 53307->53310 53309 40ec3d 53308->53309 53315 413584 3 API calls 53308->53315 53572 40d0a4 53309->53572 53311 40ebc0 53310->53311 53771 413584 RegOpenKeyExA 53311->53771 53313 40ec43 53314 40eac6 53313->53314 53575 41b354 53313->53575 53314->53290 53321 40ec21 53315->53321 53319 40f38a 53864 4139e4 30 API calls 53319->53864 53320 40ec5e 53323 40ecb1 53320->53323 53592 407751 53320->53592 53321->53309 53774 4139e4 30 API calls 53321->53774 53324 401e65 22 API calls 53323->53324 53327 40ecba 53324->53327 53336 40ecc6 53327->53336 53337 40eccb 53327->53337 53329 40f3a0 53865 4124b0 65 API calls ___scrt_get_show_window_mode 53329->53865 53330 40ec87 53334 401e65 22 API calls 53330->53334 53331 40ec7d 53775 407773 30 API calls 53331->53775 53346 40ec90 53334->53346 53335 40f3aa 53339 41bcef 28 API calls 53335->53339 53778 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 53336->53778 53342 401e65 22 API calls 53337->53342 53338 40ec82 53776 40729b 98 API calls 53338->53776 53343 40f3ba 53339->53343 53344 40ecd4 53342->53344 53664 413a5e RegOpenKeyExW 53343->53664 53596 41bcef 53344->53596 53346->53323 53349 40ecac 53346->53349 53348 40ecdf 53600 401f13 53348->53600 53777 40729b 98 API calls 53349->53777 53353 401f09 11 API calls 53356 40f3d7 53353->53356 53355 401f09 11 API calls 53357 40ecf3 53355->53357 53358 401f09 11 API calls 53356->53358 53359 401e65 22 API calls 53357->53359 53360 40f3e0 53358->53360 53361 40ecfc 53359->53361 53667 40dd7d 53360->53667 53365 401e65 22 API calls 53361->53365 53367 40ed16 53365->53367 53366 40f3ea 53368 401e65 22 API calls 53367->53368 53369 40ed30 53368->53369 53370 401e65 22 API calls 53369->53370 53371 40ed49 53370->53371 53372 40edb6 53371->53372 53373 401e65 22 API calls 53371->53373 53374 40edc5 53372->53374 53379 40ef41 ___scrt_get_show_window_mode 53372->53379 53378 40ed5e _wcslen 53373->53378 53375 40edce 53374->53375 53403 40ee4a ___scrt_get_show_window_mode 53374->53403 53376 401e65 22 API calls 53375->53376 53377 40edd7 53376->53377 53380 401e65 22 API calls 53377->53380 53378->53372 53382 401e65 22 API calls 53378->53382 53839 413733 RegOpenKeyExA 53379->53839 53381 40ede9 53380->53381 53385 401e65 22 API calls 53381->53385 53383 40ed79 53382->53383 53387 401e65 22 API calls 53383->53387 53386 40edfb 53385->53386 53390 401e65 22 API calls 53386->53390 53388 40ed8e 53387->53388 53779 40da6f 53388->53779 53389 40ef8c 53391 401e65 22 API calls 53389->53391 53393 40ee24 53390->53393 53394 40efb1 53391->53394 53398 401e65 22 API calls 53393->53398 53399 402093 28 API calls 53394->53399 53396 401f13 28 API calls 53397 40edad 53396->53397 53401 401f09 11 API calls 53397->53401 53402 40ee35 53398->53402 53400 40efc3 53399->53400 53619 4137aa RegCreateKeyA 53400->53619 53401->53372 53837 40ce34 46 API calls _wcslen 53402->53837 53609 413982 53403->53609 53407 40ee45 53407->53403 53409 40eede ctype 53412 401e65 22 API calls 53409->53412 53410 401e65 22 API calls 53411 40efe5 53410->53411 53414 43bb2c 40 API calls 53411->53414 53413 40eef5 53412->53413 53413->53389 53416 40ef09 53413->53416 53415 40eff2 53414->53415 53417 40effc 53415->53417 53418 40f01f 53415->53418 53419 401e65 22 API calls 53416->53419 53842 41ce2c 88 API calls ___scrt_get_show_window_mode 53417->53842 53422 402093 28 API calls 53418->53422 53420 40ef12 53419->53420 53423 41bcef 28 API calls 53420->53423 53425 40f034 53422->53425 53426 40ef1e 53423->53426 53424 40f003 CreateThread 53424->53418 54333 41d4ee 10 API calls 53424->54333 53427 402093 28 API calls 53425->53427 53838 40f4af 114 API calls 53426->53838 53429 40f043 53427->53429 53431 41b580 80 API calls 53429->53431 53430 40ef23 53430->53389 53432 40ef2a 53430->53432 53433 40f048 53431->53433 53432->53314 53434 401e65 22 API calls 53433->53434 53435 40f054 53434->53435 53436 401e65 22 API calls 53435->53436 53437 40f066 53436->53437 53438 401e65 22 API calls 53437->53438 53439 40f086 53438->53439 53440 43bb2c 40 API calls 53439->53440 53441 40f093 53440->53441 53442 401e65 22 API calls 53441->53442 53443 40f09e 53442->53443 53444 401e65 22 API calls 53443->53444 53445 40f0af 53444->53445 53446 401e65 22 API calls 53445->53446 53447 40f0c4 53446->53447 53448 401e65 22 API calls 53447->53448 53449 40f0d5 53448->53449 53450 40f0dc StrToIntA 53449->53450 53625 409e1f 53450->53625 53453 401e65 22 API calls 53454 40f0f7 53453->53454 53455 40f103 53454->53455 53456 40f13c 53454->53456 53843 43455e 53455->53843 53458 401e65 22 API calls 53456->53458 53461 40f14c 53458->53461 53460 401e65 22 API calls 53462 40f11f 53460->53462 53464 40f194 53461->53464 53465 40f158 53461->53465 53463 40f126 CreateThread 53462->53463 53463->53456 54336 41a045 110 API calls __EH_prolog 53463->54336 53466 401e65 22 API calls 53464->53466 53467 43455e new 22 API calls 53465->53467 53468 40f19d 53466->53468 53469 40f161 53467->53469 53472 40f207 53468->53472 53473 40f1a9 53468->53473 53470 401e65 22 API calls 53469->53470 53471 40f173 53470->53471 53474 40f17a CreateThread 53471->53474 53475 401e65 22 API calls 53472->53475 53476 401e65 22 API calls 53473->53476 53474->53464 54335 41a045 110 API calls __EH_prolog 53474->54335 53477 40f210 53475->53477 53478 40f1b9 53476->53478 53479 40f255 53477->53479 53480 40f21c 53477->53480 53481 401e65 22 API calls 53478->53481 53650 41b69e GetComputerNameExW GetUserNameW 53479->53650 53483 401e65 22 API calls 53480->53483 53484 40f1ce 53481->53484 53486 40f225 53483->53486 53850 40da23 53484->53850 53492 401e65 22 API calls 53486->53492 53487 401f13 28 API calls 53488 40f269 53487->53488 53491 401f09 11 API calls 53488->53491 53495 40f272 53491->53495 53493 40f23a 53492->53493 53504 43bb2c 40 API calls 53493->53504 53494 401f13 28 API calls 53496 40f1ed 53494->53496 53497 40f27b SetProcessDEPPolicy 53495->53497 53498 40f27e CreateThread 53495->53498 53499 401f09 11 API calls 53496->53499 53497->53498 53500 40f293 CreateThread 53498->53500 53501 40f29f 53498->53501 54306 40f7e2 53498->54306 53505 40f1f6 CreateThread 53499->53505 53500->53501 54337 412132 146 API calls 53500->54337 53502 40f2b4 53501->53502 53503 40f2a8 CreateThread 53501->53503 53507 40f307 53502->53507 53509 402093 28 API calls 53502->53509 53503->53502 54338 412716 38 API calls ___scrt_get_show_window_mode 53503->54338 53506 40f247 53504->53506 53505->53472 54334 401a6d 50 API calls 53505->54334 53861 40c19d 7 API calls 53506->53861 53661 41353a RegOpenKeyExA 53507->53661 53510 40f2d7 53509->53510 53862 4052fd 28 API calls 53510->53862 53515 40f328 53517 41bcef 28 API calls 53515->53517 53519 40f338 53517->53519 53863 413656 31 API calls 53519->53863 53524 40f34e 53525 401f09 11 API calls 53524->53525 53528 40f359 53525->53528 53526 40f381 DeleteFileW 53527 40f388 53526->53527 53526->53528 53527->53335 53528->53335 53528->53526 53529 40f36f Sleep 53528->53529 53529->53528 53530->53208 53531->53212 53532->53215 53533->53216 53534->53225 53535->53226 53536->53228 53537->53231 53538->53235 53539->53237 53540->53239 53541->53242 53543 44f0eb 53542->53543 53544 44f0e2 53542->53544 53543->53250 53547 44efd8 49 API calls 4 library calls 53544->53547 53546->53250 53547->53543 53549 41cc20 LoadLibraryA GetProcAddress 53548->53549 53550 41cc10 GetModuleHandleA GetProcAddress 53548->53550 53551 41cc49 44 API calls 53549->53551 53552 41cc39 LoadLibraryA GetProcAddress 53549->53552 53550->53549 53551->53254 53552->53551 53866 41b539 FindResourceA 53553->53866 53556 43bda0 new 21 API calls 53557 40f428 ctype 53556->53557 53558 4020b7 28 API calls 53557->53558 53559 40f443 53558->53559 53560 401fe2 28 API calls 53559->53560 53561 40f44e 53560->53561 53562 401fd8 11 API calls 53561->53562 53563 40f457 53562->53563 53564 43bda0 new 21 API calls 53563->53564 53565 40f468 ctype 53564->53565 53869 406e13 53565->53869 53567 40f49b 53567->53256 53569 40fb5e 53568->53569 53571 40fb65 53568->53571 53872 402163 11 API calls 53569->53872 53571->53264 53873 401fab 53572->53873 53574 40d0ae CreateMutexA GetLastError 53574->53313 53874 41c048 53575->53874 53580 401fe2 28 API calls 53581 41b390 53580->53581 53582 401fd8 11 API calls 53581->53582 53583 41b398 53582->53583 53584 4135e1 31 API calls 53583->53584 53586 41b3ee 53583->53586 53585 41b3c1 53584->53585 53587 41b3cc StrToIntA 53585->53587 53586->53320 53588 41b3da 53587->53588 53591 41b3e3 53587->53591 53883 41cffa 22 API calls 53588->53883 53590 401fd8 11 API calls 53590->53586 53591->53590 53593 407765 53592->53593 53594 413584 3 API calls 53593->53594 53595 40776c 53594->53595 53595->53330 53595->53331 53597 41bd03 53596->53597 53884 40b93f 53597->53884 53599 41bd0b 53599->53348 53601 401f22 53600->53601 53608 401f6a 53600->53608 53602 402252 11 API calls 53601->53602 53603 401f2b 53602->53603 53604 401f6d 53603->53604 53606 401f46 53603->53606 53899 402336 53604->53899 53898 40305c 28 API calls 53606->53898 53608->53355 53610 4139a0 53609->53610 53611 406e13 28 API calls 53610->53611 53612 4139b5 53611->53612 53613 4020f6 28 API calls 53612->53613 53614 4139c5 53613->53614 53615 4137aa 14 API calls 53614->53615 53616 4139cf 53615->53616 53617 401fd8 11 API calls 53616->53617 53618 4139dc 53617->53618 53618->53409 53620 4137c3 53619->53620 53621 4137fa 53619->53621 53624 4137d5 RegSetValueExA RegCloseKey 53620->53624 53622 401fd8 11 API calls 53621->53622 53623 40efd9 53622->53623 53623->53410 53624->53621 53626 409e3d _wcslen 53625->53626 53627 409e48 53626->53627 53628 409e5f 53626->53628 53629 40da6f 32 API calls 53627->53629 53630 40da6f 32 API calls 53628->53630 53632 409e50 53629->53632 53631 409e67 53630->53631 53633 401f13 28 API calls 53631->53633 53634 401f13 28 API calls 53632->53634 53635 409e75 53633->53635 53636 409e5a 53634->53636 53637 401f09 11 API calls 53635->53637 53639 401f09 11 API calls 53636->53639 53638 409e7d 53637->53638 53918 409196 28 API calls 53638->53918 53641 409eb4 53639->53641 53903 40a144 53641->53903 53643 409e8f 53919 403014 53643->53919 53647 401f13 28 API calls 53648 409ea4 53647->53648 53649 401f09 11 API calls 53648->53649 53649->53636 53651 40417e 28 API calls 53650->53651 53652 41b6ed 53651->53652 54117 4042fc 53652->54117 53655 403014 28 API calls 53656 41b703 53655->53656 53657 401f09 11 API calls 53656->53657 53658 41b70c 53657->53658 53659 401f09 11 API calls 53658->53659 53660 40f25e 53659->53660 53660->53487 53662 41355b RegQueryValueExA RegCloseKey 53661->53662 53663 40f31f 53661->53663 53662->53663 53663->53360 53663->53515 53665 40f3cd 53664->53665 53666 413a7a RegDeleteValueW 53664->53666 53665->53353 53666->53665 53668 40dd96 53667->53668 53669 41353a 3 API calls 53668->53669 53670 40dd9d 53669->53670 53674 40ddbc 53670->53674 54192 401707 53670->54192 53672 40ddaa 54195 4138b2 RegCreateKeyA 53672->54195 53675 414f65 53674->53675 53676 4020df 11 API calls 53675->53676 53677 414f79 53676->53677 54209 41b944 53677->54209 53680 4020df 11 API calls 53681 414f8f 53680->53681 53682 401e65 22 API calls 53681->53682 53683 414f9d 53682->53683 53684 43bb2c 40 API calls 53683->53684 53685 414faa 53684->53685 53686 414fbc 53685->53686 53687 414faf Sleep 53685->53687 53688 402093 28 API calls 53686->53688 53687->53686 53689 414fcb 53688->53689 53690 401e65 22 API calls 53689->53690 53691 414fd4 53690->53691 53692 4020f6 28 API calls 53691->53692 53693 414fdf 53692->53693 53694 41beac 28 API calls 53693->53694 53695 414fe7 53694->53695 54213 40489e WSAStartup 53695->54213 53697 414ff1 53698 401e65 22 API calls 53697->53698 53699 414ffa 53698->53699 53700 401e65 22 API calls 53699->53700 53725 415079 53699->53725 53701 415013 53700->53701 53702 401e65 22 API calls 53701->53702 53703 415024 53702->53703 53705 401e65 22 API calls 53703->53705 53704 41beac 28 API calls 53704->53725 53706 415035 53705->53706 53708 401e65 22 API calls 53706->53708 53707 406c59 28 API calls 53707->53725 53709 415046 53708->53709 53710 401e65 22 API calls 53709->53710 53712 415057 53710->53712 53711 401fe2 28 API calls 53711->53725 53713 401e65 22 API calls 53712->53713 53714 415069 53713->53714 54238 40473d 89 API calls 53714->54238 53716 406383 28 API calls 53716->53725 53717 401e65 22 API calls 53717->53725 53719 4151c7 WSAGetLastError 54239 41cb72 30 API calls 53719->54239 53720 40482d 3 API calls 53720->53725 53723 404f51 105 API calls 53723->53725 53724 402093 28 API calls 53724->53725 53725->53704 53725->53707 53725->53711 53725->53716 53725->53717 53725->53719 53725->53720 53725->53723 53725->53724 53726 4048c8 97 API calls 53725->53726 53727 404e26 99 API calls 53725->53727 53728 40531e 28 API calls 53725->53728 53729 401e8d 11 API calls 53725->53729 53731 415a6e 53725->53731 53734 41b580 80 API calls 53725->53734 53737 409097 28 API calls 53725->53737 53738 441ed1 20 API calls 53725->53738 53739 4020f6 28 API calls 53725->53739 53740 413733 3 API calls 53725->53740 53741 4135e1 31 API calls 53725->53741 53742 40417e 28 API calls 53725->53742 53745 41bc1f 28 API calls 53725->53745 53746 401e65 22 API calls 53725->53746 53750 41bb27 30 API calls 53725->53750 53751 41bdaf 28 API calls 53725->53751 53753 402f31 28 API calls 53725->53753 53754 402ea1 28 API calls 53725->53754 53755 402f10 28 API calls 53725->53755 53756 404aa1 61 API calls 53725->53756 53757 401fd8 11 API calls 53725->53757 53758 404c10 130 API calls 53725->53758 53760 415aac CreateThread 53725->53760 53761 401f09 11 API calls 53725->53761 54214 414f24 53725->54214 54219 41b871 53725->54219 54222 4145f8 53725->54222 54225 40ddc4 53725->54225 54231 41bcd3 53725->54231 54234 41bb77 GetLastInputInfo GetTickCount 53725->54234 54235 40f90c GetLocaleInfoA 53725->54235 54240 4052fd 28 API calls 53725->54240 53726->53725 53727->53725 53728->53725 53729->53725 53730 401e65 22 API calls 53730->53731 53731->53730 53732 43bb2c 40 API calls 53731->53732 54241 40b08c 85 API calls 53731->54241 53733 415b0a Sleep 53732->53733 53733->53725 53734->53725 53737->53725 53738->53725 53739->53725 53740->53725 53741->53725 53742->53725 53745->53725 53747 415474 GetTickCount 53746->53747 53748 41bc1f 28 API calls 53747->53748 53748->53725 53750->53725 53751->53725 53753->53725 53754->53725 53755->53725 53756->53725 53757->53725 53758->53725 53760->53725 54282 41ada8 106 API calls 53760->54282 53761->53725 53762->53271 53763->53280 53764->53284 53767 4020df 11 API calls 53766->53767 53768 406c65 53767->53768 53769 4032a0 28 API calls 53768->53769 53770 406c82 53769->53770 53770->53305 53772 40ebdf 53771->53772 53773 4135ae RegQueryValueExA RegCloseKey 53771->53773 53772->53302 53772->53319 53773->53772 53774->53309 53775->53338 53776->53330 53777->53323 53778->53337 53780 401f86 11 API calls 53779->53780 53781 40da8b 53780->53781 53782 40dae0 53781->53782 53783 40daab 53781->53783 53784 40daa1 53781->53784 53787 41c048 2 API calls 53782->53787 54298 41b645 29 API calls 53783->54298 53786 40dbd4 GetLongPathNameW 53784->53786 53789 40417e 28 API calls 53786->53789 53790 40dae5 53787->53790 53788 40dab4 53791 401f13 28 API calls 53788->53791 53792 40dbe9 53789->53792 53793 40dae9 53790->53793 53794 40db3b 53790->53794 53795 40dabe 53791->53795 53796 40417e 28 API calls 53792->53796 53798 40417e 28 API calls 53793->53798 53797 40417e 28 API calls 53794->53797 53802 401f09 11 API calls 53795->53802 53799 40dbf8 53796->53799 53800 40db49 53797->53800 53801 40daf7 53798->53801 54283 40de0c 53799->54283 53805 40417e 28 API calls 53800->53805 53806 40417e 28 API calls 53801->53806 53802->53784 53809 40db5f 53805->53809 53810 40db0d 53806->53810 53812 402fa5 28 API calls 53809->53812 53813 402fa5 28 API calls 53810->53813 53811 402fa5 28 API calls 53814 40dc20 53811->53814 53815 40db6a 53812->53815 53816 40db18 53813->53816 53817 401f09 11 API calls 53814->53817 53818 401f13 28 API calls 53815->53818 53819 401f13 28 API calls 53816->53819 53820 40dc2a 53817->53820 53821 40db75 53818->53821 53822 40db23 53819->53822 53823 401f09 11 API calls 53820->53823 53824 401f09 11 API calls 53821->53824 53825 401f09 11 API calls 53822->53825 53826 40dc33 53823->53826 53827 40db7e 53824->53827 53828 40db2c 53825->53828 53829 401f09 11 API calls 53826->53829 53830 401f09 11 API calls 53827->53830 53831 401f09 11 API calls 53828->53831 53832 40dc3c 53829->53832 53830->53795 53831->53795 53833 401f09 11 API calls 53832->53833 53834 40dc45 53833->53834 53835 401f09 11 API calls 53834->53835 53836 40dc4e 53835->53836 53836->53396 53837->53407 53838->53430 53840 413759 RegQueryValueExA RegCloseKey 53839->53840 53841 41377d 53839->53841 53840->53841 53841->53389 53842->53424 53847 434563 53843->53847 53844 43bda0 new 21 API calls 53844->53847 53845 40f10c 53845->53460 53847->53844 53847->53845 54303 443001 7 API calls 2 library calls 53847->54303 54304 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 53847->54304 54305 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 53847->54305 53851 402093 28 API calls 53850->53851 53852 40da3a 53851->53852 53853 41bcef 28 API calls 53852->53853 53854 40da45 53853->53854 53855 40da6f 32 API calls 53854->53855 53856 40da56 53855->53856 53857 401f09 11 API calls 53856->53857 53858 40da5f 53857->53858 53859 401fd8 11 API calls 53858->53859 53860 40da67 53859->53860 53860->53494 53861->53479 53863->53524 53864->53329 53867 41b556 LoadResource LockResource SizeofResource 53866->53867 53868 40f419 53866->53868 53867->53868 53868->53556 53870 4020b7 28 API calls 53869->53870 53871 406e27 53870->53871 53871->53567 53872->53571 53875 41b362 53874->53875 53876 41c055 GetCurrentProcess IsWow64Process 53874->53876 53878 4135e1 RegOpenKeyExA 53875->53878 53876->53875 53877 41c06c 53876->53877 53877->53875 53879 41360f RegQueryValueExA RegCloseKey 53878->53879 53880 413639 53878->53880 53879->53880 53881 402093 28 API calls 53880->53881 53882 41364e 53881->53882 53882->53580 53883->53591 53885 40b947 53884->53885 53886 402252 11 API calls 53885->53886 53887 40b952 53886->53887 53890 40b967 53887->53890 53889 40b961 53889->53599 53891 40b9a1 53890->53891 53892 40b973 53890->53892 53897 4028a4 22 API calls 53891->53897 53894 4027e6 28 API calls 53892->53894 53896 40b97d 53894->53896 53896->53889 53898->53608 53900 402347 53899->53900 53901 402252 11 API calls 53900->53901 53902 4023c7 53901->53902 53902->53608 53904 40a162 53903->53904 53905 413584 3 API calls 53904->53905 53906 40a169 53905->53906 53907 40a197 53906->53907 53908 40a17d 53906->53908 53924 409097 53907->53924 53909 40a182 53908->53909 53910 409ed6 53908->53910 53912 409097 28 API calls 53909->53912 53910->53453 53914 40a190 53912->53914 53952 40a268 29 API calls 53914->53952 53917 40a195 53917->53910 53918->53643 54085 403222 53919->54085 53921 403022 54089 403262 53921->54089 53925 4090ad 53924->53925 53926 402252 11 API calls 53925->53926 53927 4090c7 53926->53927 53928 404267 28 API calls 53927->53928 53929 4090d5 53928->53929 53930 40a1b4 53929->53930 53953 40b927 53930->53953 53933 40a205 53935 402093 28 API calls 53933->53935 53934 40a1dd 53936 402093 28 API calls 53934->53936 53937 40a210 53935->53937 53938 40a1e7 53936->53938 53939 402093 28 API calls 53937->53939 53940 41bcef 28 API calls 53938->53940 53941 40a21f 53939->53941 53942 40a1f5 53940->53942 53944 41b580 80 API calls 53941->53944 53957 40b19f 31 API calls new 53942->53957 53946 40a224 CreateThread 53944->53946 53945 40a1fc 53947 401fd8 11 API calls 53945->53947 53948 40a24b CreateThread 53946->53948 53949 40a23f CreateThread 53946->53949 53965 40a2b8 53946->53965 53947->53933 53950 401f09 11 API calls 53948->53950 53962 40a2c4 53948->53962 53949->53948 53959 40a2a2 53949->53959 53951 40a25f 53950->53951 53951->53910 53952->53917 54084 40a2ae 164 API calls 53952->54084 53954 40b930 53953->53954 53955 40a1d2 53953->53955 53958 40b9a7 28 API calls 53954->53958 53955->53933 53955->53934 53957->53945 53958->53955 53968 40a2f3 53959->53968 53984 40ad11 53962->53984 54026 40a761 53965->54026 53969 40a30c GetModuleHandleA SetWindowsHookExA 53968->53969 53970 40a36e GetMessageA 53968->53970 53969->53970 53972 40a328 GetLastError 53969->53972 53971 40a380 TranslateMessage DispatchMessageA 53970->53971 53982 40a2ab 53970->53982 53971->53970 53971->53982 53973 41bc1f 28 API calls 53972->53973 53974 40a339 53973->53974 53983 4052fd 28 API calls 53974->53983 54013 40ad1f 53984->54013 53985 40a2cd 53986 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 53987 40b93f 28 API calls 53986->53987 53987->54013 53992 41bb77 GetLastInputInfo GetTickCount 53992->54013 53993 40adbf GetWindowTextW 53993->54013 53995 40b927 28 API calls 53995->54013 53996 40af17 53997 401f09 11 API calls 53996->53997 53997->53985 53998 40ae84 Sleep 53998->54013 53999 441ed1 20 API calls 53999->54013 54001 402093 28 API calls 54001->54013 54002 40ae0c 54004 409097 28 API calls 54002->54004 54002->54013 54022 40b19f 31 API calls new 54002->54022 54004->54002 54006 403014 28 API calls 54006->54013 54007 406383 28 API calls 54007->54013 54009 40a671 12 API calls 54009->54013 54010 41bcef 28 API calls 54010->54013 54011 401f09 11 API calls 54011->54013 54012 401fd8 11 API calls 54012->54013 54013->53985 54013->53986 54013->53992 54013->53993 54013->53995 54013->53996 54013->53998 54013->53999 54013->54001 54013->54002 54013->54006 54013->54007 54013->54009 54013->54010 54013->54011 54013->54012 54014 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 54013->54014 54015 401f86 54013->54015 54019 434801 23 API calls __onexit 54013->54019 54020 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 54013->54020 54021 40907f 28 API calls 54013->54021 54023 40b9b7 28 API calls 54013->54023 54024 40b783 40 API calls 2 library calls 54013->54024 54025 4052fd 28 API calls 54013->54025 54016 401f8e 54015->54016 54017 402252 11 API calls 54016->54017 54018 401f99 54017->54018 54018->54013 54019->54013 54020->54013 54021->54013 54022->54002 54023->54013 54024->54013 54027 40a776 Sleep 54026->54027 54047 40a6b0 54027->54047 54029 40a2c1 54030 40a7b6 CreateDirectoryW 54034 40a788 54030->54034 54031 40a7c7 GetFileAttributesW 54031->54034 54032 40a7de SetFileAttributesW 54032->54034 54034->54027 54034->54029 54034->54030 54034->54031 54034->54032 54036 401e65 22 API calls 54034->54036 54040 40a961 SetFileAttributesW 54034->54040 54043 40a829 54034->54043 54059 41c482 54034->54059 54035 40a858 PathFileExistsW 54035->54043 54036->54034 54037 4020df 11 API calls 54037->54043 54039 4020b7 28 API calls 54039->54043 54040->54034 54041 406e13 28 API calls 54041->54043 54042 401fe2 28 API calls 54042->54043 54043->54035 54043->54037 54043->54039 54043->54041 54043->54042 54045 401fd8 11 API calls 54043->54045 54046 401fd8 11 API calls 54043->54046 54069 41c516 CreateFileW 54043->54069 54077 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 54043->54077 54045->54043 54046->54034 54048 40a75d 54047->54048 54050 40a6c6 54047->54050 54048->54034 54049 40a6e5 CreateFileW 54049->54050 54051 40a6f3 GetFileSize 54049->54051 54050->54049 54052 40a728 CloseHandle 54050->54052 54053 40a73a 54050->54053 54054 40a71d Sleep 54050->54054 54078 40b117 84 API calls 54050->54078 54051->54050 54051->54052 54052->54050 54053->54048 54056 409097 28 API calls 54053->54056 54054->54052 54057 40a756 54056->54057 54058 40a1b4 125 API calls 54057->54058 54058->54048 54060 41c495 CreateFileW 54059->54060 54062 41c4d2 54060->54062 54063 41c4ce 54060->54063 54064 41c4f2 WriteFile 54062->54064 54065 41c4d9 SetFilePointer 54062->54065 54063->54034 54067 41c505 54064->54067 54068 41c507 CloseHandle 54064->54068 54065->54064 54066 41c4e9 CloseHandle 54065->54066 54066->54063 54067->54068 54068->54063 54070 41c540 GetFileSize 54069->54070 54071 41c53c 54069->54071 54079 40244e 54070->54079 54071->54043 54073 41c554 54074 41c566 ReadFile 54073->54074 54075 41c573 54074->54075 54076 41c575 CloseHandle 54074->54076 54075->54076 54076->54071 54077->54043 54078->54054 54080 402456 54079->54080 54082 402460 54080->54082 54083 402a51 28 API calls 54080->54083 54082->54073 54083->54082 54086 40322e 54085->54086 54095 403618 54086->54095 54088 40323b 54088->53921 54090 40326e 54089->54090 54091 402252 11 API calls 54090->54091 54092 403288 54091->54092 54093 402336 11 API calls 54092->54093 54094 403031 54093->54094 54094->53647 54096 403626 54095->54096 54097 403644 54096->54097 54098 40362c 54096->54098 54099 40365c 54097->54099 54100 40369e 54097->54100 54106 4036a6 54098->54106 54104 4027e6 28 API calls 54099->54104 54105 403642 54099->54105 54115 4028a4 22 API calls 54100->54115 54104->54105 54105->54088 54107 402888 22 API calls 54106->54107 54108 4036b9 54107->54108 54109 40372c 54108->54109 54110 4036de 54108->54110 54116 4028a4 22 API calls 54109->54116 54112 4036f0 54110->54112 54114 4027e6 28 API calls 54110->54114 54112->54105 54114->54112 54122 404353 54117->54122 54119 40430a 54120 403262 11 API calls 54119->54120 54121 404319 54120->54121 54121->53655 54123 40435f 54122->54123 54126 404371 54123->54126 54125 40436d 54125->54119 54127 40437f 54126->54127 54128 404385 54127->54128 54129 40439e 54127->54129 54190 4034e6 28 API calls 54128->54190 54130 402888 22 API calls 54129->54130 54131 4043a6 54130->54131 54133 404419 54131->54133 54134 4043bf 54131->54134 54191 4028a4 22 API calls 54133->54191 54136 4027e6 28 API calls 54134->54136 54146 40439c 54134->54146 54136->54146 54146->54125 54190->54146 54198 43ab1a 54192->54198 54196 4138f4 54195->54196 54197 4138ca RegSetValueExA RegCloseKey 54195->54197 54196->53674 54197->54196 54201 43aa9b 54198->54201 54200 40170d 54200->53672 54202 43aaaa 54201->54202 54203 43aabe 54201->54203 54207 44062d 20 API calls __dosmaperr 54202->54207 54206 43aaaf __alldvrm __wsopen_s 54203->54206 54208 4489d7 11 API calls 2 library calls 54203->54208 54206->54200 54207->54206 54208->54206 54210 41b98a ctype ___scrt_get_show_window_mode 54209->54210 54211 402093 28 API calls 54210->54211 54212 414f84 54211->54212 54212->53680 54213->53697 54215 414f33 54214->54215 54216 414f3d getaddrinfo WSASetLastError 54214->54216 54242 414dc1 29 API calls ___std_exception_copy 54215->54242 54216->53725 54218 414f38 54218->54216 54243 41b847 GlobalMemoryStatusEx 54219->54243 54221 41b886 54221->53725 54244 4145bb 54222->54244 54226 40dde0 54225->54226 54227 41353a 3 API calls 54226->54227 54229 40dde7 54227->54229 54228 40ddff 54228->53725 54229->54228 54230 413584 3 API calls 54229->54230 54230->54228 54232 4020b7 28 API calls 54231->54232 54233 41bce8 54232->54233 54233->53725 54234->53725 54236 402093 28 API calls 54235->54236 54237 40f931 54236->54237 54237->53725 54238->53725 54239->53725 54241->53725 54242->54218 54243->54221 54247 41458e 54244->54247 54248 4145a3 ___scrt_initialize_default_local_stdio_options 54247->54248 54251 43f7ed 54248->54251 54254 43c540 54251->54254 54255 43c580 54254->54255 54256 43c568 54254->54256 54255->54256 54257 43c588 54255->54257 54276 44062d 20 API calls __dosmaperr 54256->54276 54277 43a837 36 API calls 2 library calls 54257->54277 54260 43c56d __wsopen_s 54269 43502b 54260->54269 54261 43c598 54278 43ccc6 20 API calls 2 library calls 54261->54278 54264 43c610 54279 43d334 51 API calls 3 library calls 54264->54279 54265 4145b1 54265->53725 54268 43c61b 54280 43cd30 20 API calls _free 54268->54280 54270 435036 IsProcessorFeaturePresent 54269->54270 54271 435034 54269->54271 54273 435078 54270->54273 54271->54265 54281 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54273->54281 54275 43515b 54275->54265 54276->54260 54277->54261 54278->54264 54279->54268 54280->54260 54281->54275 54284 40de14 54283->54284 54285 402252 11 API calls 54284->54285 54286 40de1f 54285->54286 54287 4041d9 28 API calls 54286->54287 54288 40dc0b 54287->54288 54289 402fa5 54288->54289 54295 402fb4 54289->54295 54290 402ff6 54300 40323f 54290->54300 54292 402ff4 54293 403262 11 API calls 54292->54293 54294 40300d 54293->54294 54294->53811 54295->54290 54296 402feb 54295->54296 54299 403211 28 API calls 54296->54299 54298->53788 54299->54292 54301 4036a6 28 API calls 54300->54301 54302 40324c 54301->54302 54302->54292 54303->53847 54308 40f7fd 54306->54308 54307 413584 3 API calls 54307->54308 54308->54307 54309 40f8a1 54308->54309 54311 40f891 Sleep 54308->54311 54328 40f82f 54308->54328 54312 409097 28 API calls 54309->54312 54310 409097 28 API calls 54310->54328 54311->54308 54315 40f8ac 54312->54315 54314 41bcef 28 API calls 54314->54328 54316 41bcef 28 API calls 54315->54316 54317 40f8b8 54316->54317 54341 41384f 14 API calls 54317->54341 54320 401f09 11 API calls 54320->54328 54321 40f8cb 54322 401f09 11 API calls 54321->54322 54324 40f8d7 54322->54324 54323 402093 28 API calls 54323->54328 54325 402093 28 API calls 54324->54325 54326 40f8e8 54325->54326 54329 4137aa 14 API calls 54326->54329 54327 4137aa 14 API calls 54327->54328 54328->54310 54328->54311 54328->54314 54328->54320 54328->54323 54328->54327 54339 40d0d1 112 API calls ___scrt_get_show_window_mode 54328->54339 54340 41384f 14 API calls 54328->54340 54330 40f8fb 54329->54330 54342 41288b TerminateProcess WaitForSingleObject 54330->54342 54332 40f903 ExitProcess 54343 412829 62 API calls 54337->54343 54340->54328 54341->54321 54342->54332 54344 4129da 54345 4129ec 54344->54345 54346 4041a2 28 API calls 54345->54346 54347 4129ff 54346->54347 54348 4020f6 28 API calls 54347->54348 54349 412a0e 54348->54349 54350 4020f6 28 API calls 54349->54350 54351 412a1d 54350->54351 54352 41beac 28 API calls 54351->54352 54353 412a26 54352->54353 54354 412ace 54353->54354 54355 401e65 22 API calls 54353->54355 54356 401e8d 11 API calls 54354->54356 54357 412a3d 54355->54357 54358 412ad7 54356->54358 54360 4020f6 28 API calls 54357->54360 54359 401fd8 11 API calls 54358->54359 54361 412ae0 54359->54361 54362 412a48 54360->54362 54363 401fd8 11 API calls 54361->54363 54364 401e65 22 API calls 54362->54364 54365 412ae8 54363->54365 54366 412a53 54364->54366 54367 4020f6 28 API calls 54366->54367 54368 412a5e 54367->54368 54369 401e65 22 API calls 54368->54369 54370 412a69 54369->54370 54371 4020f6 28 API calls 54370->54371 54372 412a74 54371->54372 54373 401e65 22 API calls 54372->54373 54374 412a7f 54373->54374 54375 4020f6 28 API calls 54374->54375 54376 412a8a 54375->54376 54377 401e65 22 API calls 54376->54377 54378 412a95 54377->54378 54379 4020f6 28 API calls 54378->54379 54380 412aa0 54379->54380 54381 401e65 22 API calls 54380->54381 54382 412aae 54381->54382 54383 4020f6 28 API calls 54382->54383 54384 412ab9 54383->54384 54388 412aef GetModuleFileNameW 54384->54388 54387 404e26 99 API calls 54387->54354 54389 4020df 11 API calls 54388->54389 54390 412b1a 54389->54390 54391 4020df 11 API calls 54390->54391 54392 412b26 54391->54392 54393 4020df 11 API calls 54392->54393 54397 412b32 54393->54397 54394 41ba09 43 API calls 54394->54397 54395 40da23 32 API calls 54395->54397 54396 401fd8 11 API calls 54396->54397 54397->54394 54397->54395 54397->54396 54398 40417e 28 API calls 54397->54398 54399 4042fc 79 API calls 54397->54399 54400 40431d 28 API calls 54397->54400 54401 412c58 Sleep 54397->54401 54402 403014 28 API calls 54397->54402 54403 4185a3 31 API calls 54397->54403 54404 412cfa Sleep 54397->54404 54405 401f09 11 API calls 54397->54405 54406 412d9c Sleep 54397->54406 54407 412dff DeleteFileW 54397->54407 54408 41c516 32 API calls 54397->54408 54409 412e36 DeleteFileW 54397->54409 54410 412e88 Sleep 54397->54410 54411 412e72 DeleteFileW 54397->54411 54412 412f01 54397->54412 54419 412ecd Sleep 54397->54419 54398->54397 54399->54397 54400->54397 54401->54397 54402->54397 54403->54397 54404->54397 54405->54397 54406->54397 54407->54397 54408->54397 54409->54397 54410->54397 54411->54397 54413 401f09 11 API calls 54412->54413 54414 412f0d 54413->54414 54415 401f09 11 API calls 54414->54415 54416 412f19 54415->54416 54417 401f09 11 API calls 54416->54417 54418 412f25 54417->54418 54420 40b93f 28 API calls 54418->54420 54421 401f09 11 API calls 54419->54421 54422 412f38 54420->54422 54426 412edd 54421->54426 54423 4020f6 28 API calls 54422->54423 54425 412f58 54423->54425 54424 401f09 11 API calls 54424->54426 54535 413268 54425->54535 54426->54397 54426->54424 54428 412eff 54426->54428 54428->54418 54430 401f09 11 API calls 54431 412f6f 54430->54431 54432 4130e3 54431->54432 54433 412f8f 54431->54433 54434 41bdaf 28 API calls 54432->54434 54435 41bdaf 28 API calls 54433->54435 54436 4130ec 54434->54436 54437 412f9b 54435->54437 54438 402f31 28 API calls 54436->54438 54439 41bc1f 28 API calls 54437->54439 54440 413123 54438->54440 54441 412fb5 54439->54441 54442 402f10 28 API calls 54440->54442 54443 402f31 28 API calls 54441->54443 54444 413132 54442->54444 54445 412fe5 54443->54445 54446 402f10 28 API calls 54444->54446 54447 402f10 28 API calls 54445->54447 54448 41313e 54446->54448 54449 412ff4 54447->54449 54450 402f10 28 API calls 54448->54450 54451 402f10 28 API calls 54449->54451 54452 41314d 54450->54452 54453 413003 54451->54453 54454 402f10 28 API calls 54452->54454 54455 402f10 28 API calls 54453->54455 54456 41315c 54454->54456 54457 413012 54455->54457 54459 402f10 28 API calls 54456->54459 54458 402f10 28 API calls 54457->54458 54461 413021 54458->54461 54460 41316b 54459->54460 54462 402f10 28 API calls 54460->54462 54463 402f10 28 API calls 54461->54463 54464 41317a 54462->54464 54465 41302d 54463->54465 54466 402ea1 28 API calls 54464->54466 54467 402f10 28 API calls 54465->54467 54468 413184 54466->54468 54469 413039 54467->54469 54470 404aa1 61 API calls 54468->54470 54471 402ea1 28 API calls 54469->54471 54472 413191 54470->54472 54473 413048 54471->54473 54474 401fd8 11 API calls 54472->54474 54475 402f10 28 API calls 54473->54475 54476 41319d 54474->54476 54477 413054 54475->54477 54478 401fd8 11 API calls 54476->54478 54479 402ea1 28 API calls 54477->54479 54480 4131a9 54478->54480 54481 41305e 54479->54481 54482 401fd8 11 API calls 54480->54482 54483 404aa1 61 API calls 54481->54483 54484 4131b5 54482->54484 54485 41306b 54483->54485 54486 401fd8 11 API calls 54484->54486 54487 401fd8 11 API calls 54485->54487 54488 4131c1 54486->54488 54489 413074 54487->54489 54491 401fd8 11 API calls 54488->54491 54490 401fd8 11 API calls 54489->54490 54493 41307d 54490->54493 54492 4131ca 54491->54492 54494 401fd8 11 API calls 54492->54494 54495 401fd8 11 API calls 54493->54495 54496 4131d3 54494->54496 54497 413086 54495->54497 54498 401fd8 11 API calls 54496->54498 54499 401fd8 11 API calls 54497->54499 54500 4130d7 54498->54500 54501 41308f 54499->54501 54503 401fd8 11 API calls 54500->54503 54502 401fd8 11 API calls 54501->54502 54504 41309b 54502->54504 54505 4131e5 54503->54505 54506 401fd8 11 API calls 54504->54506 54507 401f09 11 API calls 54505->54507 54508 4130a7 54506->54508 54509 4131f1 54507->54509 54510 401fd8 11 API calls 54508->54510 54511 401fd8 11 API calls 54509->54511 54512 4130b3 54510->54512 54513 4131fd 54511->54513 54514 401fd8 11 API calls 54512->54514 54515 401fd8 11 API calls 54513->54515 54516 4130bf 54514->54516 54517 413209 54515->54517 54518 401fd8 11 API calls 54516->54518 54519 401fd8 11 API calls 54517->54519 54520 4130cb 54518->54520 54522 413215 54519->54522 54521 401fd8 11 API calls 54520->54521 54521->54500 54523 401fd8 11 API calls 54522->54523 54524 413221 54523->54524 54525 401fd8 11 API calls 54524->54525 54526 41322d 54525->54526 54527 401fd8 11 API calls 54526->54527 54528 413239 54527->54528 54529 401fd8 11 API calls 54528->54529 54530 413245 54529->54530 54531 401fd8 11 API calls 54530->54531 54532 413251 54531->54532 54533 401fd8 11 API calls 54532->54533 54534 412abe 54533->54534 54534->54387 54536 4132a6 54535->54536 54538 413277 54535->54538 54537 4132b5 54536->54537 54547 10001c5b 54536->54547 54539 40417e 28 API calls 54537->54539 54551 411d2d 54538->54551 54541 4132c1 54539->54541 54543 401fd8 11 API calls 54541->54543 54545 412f63 54543->54545 54545->54430 54548 10001c6b ___scrt_fastfail 54547->54548 54555 100012ee 54548->54555 54550 10001c87 54550->54537 54597 411d39 54551->54597 54554 411fa2 22 API calls new 54554->54536 54556 10001324 ___scrt_fastfail 54555->54556 54557 100013b7 GetEnvironmentVariableW 54556->54557 54581 100010f1 54557->54581 54560 100010f1 57 API calls 54561 10001465 54560->54561 54562 100010f1 57 API calls 54561->54562 54563 10001479 54562->54563 54564 100010f1 57 API calls 54563->54564 54565 1000148d 54564->54565 54566 100010f1 57 API calls 54565->54566 54567 100014a1 54566->54567 54568 100010f1 57 API calls 54567->54568 54569 100014b5 lstrlenW 54568->54569 54570 100014d2 54569->54570 54571 100014d9 lstrlenW 54569->54571 54570->54550 54572 100010f1 57 API calls 54571->54572 54573 10001501 lstrlenW lstrcatW 54572->54573 54574 100010f1 57 API calls 54573->54574 54575 10001539 lstrlenW lstrcatW 54574->54575 54576 100010f1 57 API calls 54575->54576 54577 1000156b lstrlenW lstrcatW 54576->54577 54578 100010f1 57 API calls 54577->54578 54579 1000159d lstrlenW lstrcatW 54578->54579 54580 100010f1 57 API calls 54579->54580 54580->54570 54582 10001118 ___scrt_fastfail 54581->54582 54583 10001129 lstrlenW 54582->54583 54594 10002c40 54583->54594 54585 10001148 lstrcatW lstrlenW 54586 10001177 lstrlenW FindFirstFileW 54585->54586 54587 10001168 lstrlenW 54585->54587 54588 100011a0 54586->54588 54589 100011e1 54586->54589 54587->54586 54590 100011c7 FindNextFileW 54588->54590 54591 100011aa 54588->54591 54589->54560 54590->54588 54593 100011da FindClose 54590->54593 54591->54590 54596 10001000 57 API calls ___scrt_fastfail 54591->54596 54593->54589 54595 10002c57 54594->54595 54595->54585 54595->54595 54596->54591 54630 4117d7 54597->54630 54599 411d57 54600 411d6d SetLastError 54599->54600 54601 4117d7 SetLastError 54599->54601 54609 411d35 54599->54609 54600->54609 54602 411d8a 54601->54602 54602->54600 54604 411dac GetNativeSystemInfo 54602->54604 54602->54609 54605 411df2 54604->54605 54606 411dff SetLastError 54605->54606 54633 411cde VirtualAlloc 54605->54633 54606->54609 54609->54554 54610 411e22 54611 411e47 GetProcessHeap HeapAlloc 54610->54611 54643 411cde VirtualAlloc 54610->54643 54612 411e70 54611->54612 54613 411e5e 54611->54613 54616 4117d7 SetLastError 54612->54616 54644 411cf5 VirtualFree 54613->54644 54618 411eb9 54616->54618 54617 411e3a 54617->54606 54617->54611 54619 411f6b 54618->54619 54634 411cde VirtualAlloc 54618->54634 54645 4120b2 GetProcessHeap HeapFree 54619->54645 54622 411ed2 ctype 54635 4117ea SetLastError ctype ___scrt_get_show_window_mode 54622->54635 54624 411efe 54624->54619 54636 411b9a 26 API calls 54624->54636 54626 411f2b 54626->54619 54637 41198a 54626->54637 54628 411f36 54628->54609 54628->54619 54629 411f60 SetLastError 54628->54629 54629->54619 54631 4117e6 54630->54631 54632 4117db SetLastError 54630->54632 54631->54599 54632->54599 54633->54610 54634->54622 54635->54624 54636->54626 54641 4119b0 54637->54641 54638 411a99 54639 4118ed VirtualProtect 54638->54639 54640 411aab 54639->54640 54640->54628 54641->54638 54641->54640 54646 4118ed 54641->54646 54643->54617 54644->54606 54645->54609 54647 4118fe 54646->54647 54649 4118f6 54646->54649 54648 411971 VirtualProtect 54647->54648 54647->54649 54648->54649 54649->54641 54650 42f97e 54651 42f989 54650->54651 54652 42f99d 54651->54652 54654 432f7f 54651->54654 54655 432f8e 54654->54655 54657 432f8a 54654->54657 54658 440f5d 54655->54658 54657->54652 54659 446206 54658->54659 54660 446213 54659->54660 54661 44621e 54659->54661 54662 4461b8 ___crtLCMapStringA 21 API calls 54660->54662 54663 446226 54661->54663 54669 44622f __Getctype 54661->54669 54667 44621b 54662->54667 54664 446802 _free 20 API calls 54663->54664 54664->54667 54665 446234 54671 44062d 20 API calls __dosmaperr 54665->54671 54666 446259 HeapReAlloc 54666->54667 54666->54669 54667->54657 54669->54665 54669->54666 54672 443001 7 API calls 2 library calls 54669->54672 54671->54667 54672->54669 54673 40165e 54674 401666 54673->54674 54675 401669 54673->54675 54676 4016a8 54675->54676 54678 401696 54675->54678 54677 43455e new 22 API calls 54676->54677 54679 40169c 54677->54679 54680 43455e new 22 API calls 54678->54680 54680->54679 54681 426cdc 54686 426d59 send 54681->54686

                                                                                                                        Executed Functions

                                                                                                                        Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                                                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                        • API String ID: 4236061018-3687161714
                                                                                                                        • Opcode ID: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                                                                        • Instruction ID: 9b463eec3a0437fb1f175c53e93b0f4db36c95b88d1cb607187732a7b05a7934
                                                                                                                        • Opcode Fuzzy Hash: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                                                                                                        • Instruction Fuzzy Hash: E2418BA0E8035879DB207BB65D89E3B3E5CD9857953614837B44C93550EBBCEC408EAE
                                                                                                                        Function 0040EA00 Relevance: 76.0, APIs: 15, Strings: 28, Instructions: 795COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 89 40ec47-40ec49 80->89 90 40ec4e-40ec55 80->90 93 40ef2c 89->93 94 40ec57 90->94 95 40ec59-40ec65 call 41b354 90->95 93->49 94->95 105 40ec67-40ec69 95->105 106 40ec6e-40ec72 95->106 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 105->106 108 40ecb1-40ecc4 call 401e65 call 401fab 106->108 109 40ec74 call 407751 106->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 141 40ec9c-40eca2 120->141 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 145 40eca4-40ecaa 141->145 145->108 146 40ecac call 40729b 145->146 146->108 177->178 204 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->204 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 191 40ee59-40ee7d call 40247c call 434829 183->191 184->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 204->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 367 40f207-40f21a call 401e65 call 401fab 357->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 406 40f293-40f29d CreateThread 403->406 407 40f29f-40f2a6 403->407 406->407 408 40f2b4-40f2bb 407->408 409 40f2a8-40f2b2 CreateThread 407->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe,00000104), ref: 0040EA29
                                                                                                                          • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                        • String ID: (TG$,aF$,aF$0SG$0SG$Access Level: $Administrator$C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe$Exe$Exe$HSG$HSG$Inj$Remcos Agent initialized$Software\$User$`SG$del$del$exepath$licence$license_code.txt$tMG$RG$RG$RG$RG$RG
                                                                                                                        • API String ID: 2830904901-1704419152
                                                                                                                        • Opcode ID: 0dd18a9300b8f37dfcff9058282c53e88c8f2905d6fd96de7916dcea26a2c274
                                                                                                                        • Instruction ID: 744eeac4272eceb7f63ef51a6efbfa797c3f505d1bd04c543663c5f487e0f2b9
                                                                                                                        • Opcode Fuzzy Hash: 0dd18a9300b8f37dfcff9058282c53e88c8f2905d6fd96de7916dcea26a2c274
                                                                                                                        • Instruction Fuzzy Hash: 7D32D860B043416BDA14B7729C57B6E26994F80748F40483FB9467F2E3EEBD8D45839E
                                                                                                                        Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 452 4181d1-4181d8 450->452 453 4184bd-4184c7 451->453 452->451 454 4181de-4181e0 452->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc Wow64GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b Wow64SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 493 4183f7-4183fe 482->493 483->480 484->464 488 418450 484->488 485->464 489 41846d-418479 ResumeThread 485->489 488->485 489->464 492 41847b-41847d 489->492 492->453 493->478
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                                                                        • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                                                                        • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                                                        • NtClose.NTDLL(?), ref: 00418332
                                                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                                        • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                                        • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                                        • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                                                                        • NtClose.NTDLL(?), ref: 004184A3
                                                                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                                        • GetLastError.KERNEL32 ref: 004184B5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                        • API String ID: 3150337530-3035715614
                                                                                                                        • Opcode ID: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                                                                                                        • Instruction ID: 6e605283caf6159cf0966bfa06415cd8be065dbd330dc5e1b11c181c8b11ae87
                                                                                                                        • Opcode Fuzzy Hash: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                                                                                                        • Instruction Fuzzy Hash: 5AA14DB0604301AFDB209F64DD85B6B7BE8FB88745F04482EF689D6291EB78DC44CB59
                                                                                                                        Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1638 40a2f3-40a30a 1639 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1638->1639 1640 40a36e-40a37e GetMessageA 1638->1640 1639->1640 1643 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1639->1643 1641 40a380-40a398 TranslateMessage DispatchMessageA 1640->1641 1642 40a39a 1640->1642 1641->1640 1641->1642 1644 40a39c-40a3a1 1642->1644 1643->1644
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                                        • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                                        • GetLastError.KERNEL32 ref: 0040A328
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                                                                        • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                                        • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                                        Strings
                                                                                                                        • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                        • String ID: Keylogger initialization failure: error
                                                                                                                        • API String ID: 3219506041-952744263
                                                                                                                        • Opcode ID: 6e233c6e732ccaaa70308789ac16fcddde735690b2cc84a388d7a55fff928fce
                                                                                                                        • Instruction ID: bc7b44719e59224dfa2ccda8cade24f8ec1ba8a069f7aee67aec650331f950b6
                                                                                                                        • Opcode Fuzzy Hash: 6e233c6e732ccaaa70308789ac16fcddde735690b2cc84a388d7a55fff928fce
                                                                                                                        • Instruction Fuzzy Hash: 8911C131510301EBC710BB769C0986B77ACEB95715B20097EFC82E22D1FB34C910CBAA
                                                                                                                        Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1655 100010f1-10001166 call 10002c40 * 2 lstrlenW call 10002c40 lstrcatW lstrlenW 1662 10001177-1000119e lstrlenW FindFirstFileW 1655->1662 1663 10001168-10001172 lstrlenW 1655->1663 1664 100011a0-100011a8 1662->1664 1665 100011e1-100011e9 1662->1665 1663->1662 1666 100011c7-100011d8 FindNextFileW 1664->1666 1667 100011aa-100011c4 call 10001000 1664->1667 1666->1664 1669 100011da-100011db FindClose 1666->1669 1667->1666 1669->1665
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1083526818-0
                                                                                                                        • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                        • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                        • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                        • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                        Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                          • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                                                                                                          • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                        • String ID: 5.2.0 Pro$override$pth_unenc$RG
                                                                                                                        • API String ID: 2281282204-1448307011
                                                                                                                        • Opcode ID: 3c03a218c075b6ec39c216bc398aa57ef6cd9b47273f335186667c9805b65560
                                                                                                                        • Instruction ID: 0454f1d730b8de97e77b6af0221289a353f5645d6d0bcfbcd4472c6607f37e61
                                                                                                                        • Opcode Fuzzy Hash: 3c03a218c075b6ec39c216bc398aa57ef6cd9b47273f335186667c9805b65560
                                                                                                                        • Instruction Fuzzy Hash: 7421E171B0420127D6087676885B6AE399A9B80708F50453FF409672D6FF7C8E0483AF
                                                                                                                        Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1718 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1723 41b456-41b477 InternetReadFile 1718->1723 1724 41b479-41b499 call 4020b7 call 403376 call 401fd8 1723->1724 1725 41b49d-41b4a0 1723->1725 1724->1725 1726 41b4a2-41b4a4 1725->1726 1727 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1725->1727 1726->1723 1726->1727 1731 41b4b8-41b4c2 1727->1731
                                                                                                                        APIs
                                                                                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                                        Strings
                                                                                                                        • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                        • String ID: http://geoplugin.net/json.gp
                                                                                                                        • API String ID: 3121278467-91888290
                                                                                                                        • Opcode ID: 4e2645c3046718cbe2031a9352f432545f17450a0a2b1c602f3596dc6c63889a
                                                                                                                        • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                                        • Opcode Fuzzy Hash: 4e2645c3046718cbe2031a9352f432545f17450a0a2b1c602f3596dc6c63889a
                                                                                                                        • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                                        Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                                        • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                                                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                                                          • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                                                          • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                                                          • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3950776272-0
                                                                                                                        • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                        • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                                        • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                                                        • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                                        Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(00000001,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                                                        Strings
                                                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Create$EventLocalThreadTime
                                                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                        • API String ID: 2532271599-1507639952
                                                                                                                        • Opcode ID: 83e67b396947fc46d4134d1b7571d5e573c4bed954c085fc591a6d12371a5ca9
                                                                                                                        • Instruction ID: 4df055e7b18788cc2e6f6b282d58d8d1f041b9f055d7d752625e2c9c7705ec55
                                                                                                                        • Opcode Fuzzy Hash: 83e67b396947fc46d4134d1b7571d5e573c4bed954c085fc591a6d12371a5ca9
                                                                                                                        • Instruction Fuzzy Hash: D7110A71900385BAC720A7779C0DEABBFACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                                        Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,005B94E0), ref: 004338DA
                                                                                                                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1815803762-0
                                                                                                                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                        • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                        • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                                        Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750F4), ref: 0041B6BB
                                                                                                                        • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Name$ComputerUser
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4229901323-0
                                                                                                                        • Opcode ID: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                                                                                                        • Instruction ID: 96a0ba9ffe47efa01ac310f3847ceb2d7b3b0148e4494d8e74ae155582b6cc75
                                                                                                                        • Opcode Fuzzy Hash: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                                                                                                        • Instruction Fuzzy Hash: 9E014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E888BA8
                                                                                                                        Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EF0,00475A10,00474EF0,00000000,00474EF0,00000000,00474EF0,5.2.0 Pro), ref: 0040F920
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2299586839-0
                                                                                                                        • Opcode ID: 4f66370edde0bdaa3bcc008f8ea5ce22c00289683c96eec7ff0f1ed7c7935faa
                                                                                                                        • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                                        • Opcode Fuzzy Hash: 4f66370edde0bdaa3bcc008f8ea5ce22c00289683c96eec7ff0f1ed7c7935faa
                                                                                                                        • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                                        Function 00414F65 Relevance: 44.6, APIs: 5, Strings: 20, Instructions: 809sleepnetworkCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 494 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 507 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 494->507 508 414faf-414fb6 Sleep 494->508 523 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 507->523 524 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 507->524 508->507 523->524 577 415127-41512e 524->577 578 415119-415125 524->578 579 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 577->579 578->579 606 415210-41521e call 40482d 579->606 607 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 579->607 612 415220-415246 call 402093 * 2 call 41b580 606->612 613 41524b-415260 call 404f51 call 4048c8 606->613 630 415ade-415af0 call 404e26 call 4021fa 607->630 612->630 629 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 613->629 613->630 694 4153bb-4153c8 call 405aa6 629->694 695 4153cd-4153f4 call 401fab call 4135e1 629->695 643 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 630->643 644 415b18-415b20 call 401e8d 630->644 643->644 644->524 694->695 701 4153f6-4153f8 695->701 702 4153fb-415a45 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 695->702 701->702 947 415a4a-415a51 702->947 948 415a53-415a5a 947->948 949 415a65-415a6c 947->949 948->949 952 415a5c-415a5e 948->952 950 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 949->950 951 415a6e-415a73 call 40b08c 949->951 963 415aac-415ab8 CreateThread 950->963 964 415abe-415ad9 call 401fd8 * 2 call 401f09 950->964 951->950 952->949 963->964 964->630
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000,00000029,00475300,004750F4,00000000), ref: 00414FB6
                                                                                                                        • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                                                        • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep$ErrorLastLocalTime
                                                                                                                        • String ID: | $%I64u$,aF$5.2.0 Pro$C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$HSG$TLS Off$TLS On $`SG$`Z$hlight$name$tMG$RG
                                                                                                                        • API String ID: 524882891-3339359427
                                                                                                                        • Opcode ID: c976d42a92b3667ade10ca1971ddfee70b387a1173c8648a5acefd983348bb43
                                                                                                                        • Instruction ID: d8c825886b0a0d8326cbfb5c9d4cc5050fd80dde9ad4bcb2ea62c87b00a1b781
                                                                                                                        • Opcode Fuzzy Hash: c976d42a92b3667ade10ca1971ddfee70b387a1173c8648a5acefd983348bb43
                                                                                                                        • Instruction Fuzzy Hash: 03526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                                                                        Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                          • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                          • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                          • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                          • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                          • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                          • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                          • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                          • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                        • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                        • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                        • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                        • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                        • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                        • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                        • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                        • String ID: )$Foxmail$ProgramFiles
                                                                                                                        • API String ID: 672098462-2938083778
                                                                                                                        • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                        • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                        • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                        • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                        Function 00412AEF Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 482sleepfileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1009 412aef-412b38 GetModuleFileNameW call 4020df * 3 1016 412b3a-412bc4 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 call 41ba09 call 401fab call 40da23 call 401fd8 1009->1016 1041 412bc6-412c56 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1016->1041 1064 412c66 1041->1064 1065 412c58-412c60 Sleep 1041->1065 1066 412c68-412cf8 call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1064->1066 1065->1041 1065->1064 1089 412d08 1066->1089 1090 412cfa-412d02 Sleep 1066->1090 1091 412d0a-412d9a call 401fab call 40417e call 4042fc call 40431d call 403014 call 401f04 call 4185a3 call 401f09 * 4 1089->1091 1090->1066 1090->1089 1114 412daa-412dcf 1091->1114 1115 412d9c-412da4 Sleep 1091->1115 1116 412dd3-412def call 401f04 call 41c516 1114->1116 1115->1091 1115->1114 1121 412df1-412e00 call 401f04 DeleteFileW 1116->1121 1122 412e06-412e22 call 401f04 call 41c516 1116->1122 1121->1122 1129 412e24-412e3d call 401f04 DeleteFileW 1122->1129 1130 412e3f 1122->1130 1132 412e43-412e5f call 401f04 call 41c516 1129->1132 1130->1132 1138 412e61-412e73 call 401f04 DeleteFileW 1132->1138 1139 412e79-412e7b 1132->1139 1138->1139 1141 412e88-412e93 Sleep 1139->1141 1142 412e7d-412e7f 1139->1142 1141->1116 1145 412e99-412eab call 406b63 1141->1145 1142->1141 1144 412e81-412e86 1142->1144 1144->1141 1144->1145 1148 412f01-412f20 call 401f09 * 3 1145->1148 1149 412ead-412ebb call 406b63 1145->1149 1160 412f25-412f5e call 40b93f call 401f04 call 4020f6 call 413268 1148->1160 1149->1148 1155 412ebd-412ecb call 406b63 1149->1155 1155->1148 1161 412ecd-412ef9 Sleep call 401f09 * 3 1155->1161 1176 412f63-412f89 call 401f09 call 405b05 1160->1176 1161->1016 1175 412eff 1161->1175 1175->1160 1181 4130e3-4131dc call 41bdaf call 402f31 call 402f10 * 6 call 402ea1 call 404aa1 call 401fd8 * 7 1176->1181 1182 412f8f-4130de call 41bdaf call 41bc1f call 402f31 call 402f10 * 6 call 402ea1 call 402f10 call 402ea1 call 404aa1 call 401fd8 * 10 1176->1182 1251 4131e0-413267 call 401fd8 call 401f09 call 401fd8 * 9 1181->1251 1182->1251
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                                        • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                                        • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                                        • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                                        • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                        • String ID: /stext "$,aF$@TG$@TG
                                                                                                                        • API String ID: 1223786279-971885606
                                                                                                                        • Opcode ID: e53fecb3ea47eae1eed9929f18e49add5954f69557d43348e9797d284588bfe2
                                                                                                                        • Instruction ID: 54c64e465a66050ec466d83b34d0c9889d7f3cdaa7358c1e9e14d2467042f0e2
                                                                                                                        • Opcode Fuzzy Hash: e53fecb3ea47eae1eed9929f18e49add5954f69557d43348e9797d284588bfe2
                                                                                                                        • Instruction Fuzzy Hash: 5B0268315083414AC325FB62D891AEFB3E5AFD0348F50483FF58A971E2EF785A49C65A
                                                                                                                        Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1286 4048c8-4048e8 connect 1287 404a1b-404a1f 1286->1287 1288 4048ee-4048f1 1286->1288 1291 404a21-404a2f WSAGetLastError 1287->1291 1292 404a97 1287->1292 1289 404a17-404a19 1288->1289 1290 4048f7-4048fa 1288->1290 1293 404a99-404a9e 1289->1293 1294 404926-404930 call 420cf1 1290->1294 1295 4048fc-404923 call 40531e call 402093 call 41b580 1290->1295 1291->1292 1296 404a31-404a34 1291->1296 1292->1293 1308 404941-40494e call 420f20 1294->1308 1309 404932-40493c 1294->1309 1295->1294 1298 404a71-404a76 1296->1298 1299 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1296->1299 1301 404a7b-404a94 call 402093 * 2 call 41b580 1298->1301 1299->1292 1301->1292 1318 404950-404973 call 402093 * 2 call 41b580 1308->1318 1319 404987-404992 call 421ad1 1308->1319 1309->1301 1348 404976-404982 call 420d31 1318->1348 1331 4049c4-4049d1 call 420e97 1319->1331 1332 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1319->1332 1345 4049d3-4049f6 call 402093 * 2 call 41b580 1331->1345 1346 4049f9-404a14 CreateEventW * 2 1331->1346 1332->1348 1345->1346 1346->1289 1348->1292
                                                                                                                        APIs
                                                                                                                        • connect.WS2_32(FFFFFFFF,005B18D8,00000010), ref: 004048E0
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                                        • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                        • API String ID: 994465650-2151626615
                                                                                                                        • Opcode ID: c5d38f0f22f3010d6961fda9b348a04099d06d82ea66a40e2069e37e8a749612
                                                                                                                        • Instruction ID: d7ad8a6a5323ad03425d5def7d05b30a9c8ce31cd4ccd690c712fe6c843f15aa
                                                                                                                        • Opcode Fuzzy Hash: c5d38f0f22f3010d6961fda9b348a04099d06d82ea66a40e2069e37e8a749612
                                                                                                                        • Instruction Fuzzy Hash: AD41E8B575060277C61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                                                        Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                                                        • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3658366068-0
                                                                                                                        • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                        • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                                        • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                                                        • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                                                        Function 0040A761 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 163sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                                          • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                                          • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                          • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                          • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                                                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                        • String ID: 0Z$HSG$HSG$xdF
                                                                                                                        • API String ID: 3795512280-2139679811
                                                                                                                        • Opcode ID: 0400afea1f5a00dd62ea3da6076e8e1c1b71d3f85647d7dba7c26e7eb2bec04a
                                                                                                                        • Instruction ID: b4a8632174cffc949347442128fe52ffedc09667b4c22c284aa084888e76bad6
                                                                                                                        • Opcode Fuzzy Hash: 0400afea1f5a00dd62ea3da6076e8e1c1b71d3f85647d7dba7c26e7eb2bec04a
                                                                                                                        • Instruction Fuzzy Hash: AC518D716043015ACB15BB72C866ABE77AA9F80349F00483FF642B71E2DF7C9D09865E
                                                                                                                        Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                                                        • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                        • API String ID: 911427763-3954389425
                                                                                                                        • Opcode ID: 94c6e4a4ca081d14d65f51a4701d27cdd3e79315a29f818b02b119b462145532
                                                                                                                        • Instruction ID: 1462e2e3b317a3feaa81e481452c264ee2198f2d95b6ea563507fc8e19ff55dc
                                                                                                                        • Opcode Fuzzy Hash: 94c6e4a4ca081d14d65f51a4701d27cdd3e79315a29f818b02b119b462145532
                                                                                                                        • Instruction Fuzzy Hash: 7F51E1716043419BC714FB62D846AAE7795AF84308F10093FF546A22E2EF7C9D44C69F
                                                                                                                        Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1556 40da6f-40da94 call 401f86 1559 40da9a 1556->1559 1560 40dbbe-40dc56 call 401f04 GetLongPathNameW call 40417e * 2 call 40de0c call 402fa5 * 2 call 401f09 * 5 1556->1560 1562 40dae0-40dae7 call 41c048 1559->1562 1563 40daa1-40daa6 1559->1563 1564 40db93-40db98 1559->1564 1565 40dad6-40dadb 1559->1565 1566 40dba9 1559->1566 1567 40db9a-40db9f call 43c11f 1559->1567 1568 40daab-40dab9 call 41b645 call 401f13 1559->1568 1569 40dacc-40dad1 1559->1569 1570 40db8c-40db91 1559->1570 1585 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1562->1585 1586 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1562->1586 1571 40dbae-40dbb3 call 43c11f 1563->1571 1564->1571 1565->1571 1566->1571 1580 40dba4-40dba7 1567->1580 1587 40dabe 1568->1587 1569->1571 1570->1571 1581 40dbb4-40dbb9 call 409092 1571->1581 1580->1566 1580->1581 1581->1560 1592 40dac2-40dac7 call 401f09 1585->1592 1586->1587 1587->1592 1592->1560
                                                                                                                        APIs
                                                                                                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LongNamePath
                                                                                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                        • API String ID: 82841172-425784914
                                                                                                                        • Opcode ID: f4c7df661c5bec9d099b359126bde6595d68bd7cf9e1ce7f7ed169ab2082938e
                                                                                                                        • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                                        • Opcode Fuzzy Hash: f4c7df661c5bec9d099b359126bde6595d68bd7cf9e1ce7f7ed169ab2082938e
                                                                                                                        • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                                                        Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                        • String ID: xpF
                                                                                                                        • API String ID: 1852769593-354647465
                                                                                                                        • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                        • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                                        • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                        • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                                        Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                          • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                          • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                          • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                        • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750F4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                        • API String ID: 782494840-2070987746
                                                                                                                        • Opcode ID: 3c4b5d7af4f146739f75e1625d68ed09f09484dc39002bc0f3c390a355a847db
                                                                                                                        • Instruction ID: 99e2d84e4b8fa31c947f893a9fcbf762d6d1118dcb79bce5eaccee633664c5dc
                                                                                                                        • Opcode Fuzzy Hash: 3c4b5d7af4f146739f75e1625d68ed09f09484dc39002bc0f3c390a355a847db
                                                                                                                        • Instruction Fuzzy Hash: 0311C47064414926C700F7659C97BFF76198B80304F94453BF806A71D3FB6C598683EE
                                                                                                                        Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                        • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                          • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                          • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                          • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2099061454-0
                                                                                                                        • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                        • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                        • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                        • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                        Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                          • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                          • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                          • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                          • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2099061454-0
                                                                                                                        • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                        • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                        • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                        • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                        Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                        • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                        • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                        • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2152742572-0
                                                                                                                        • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                        • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                        • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                        • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                                        Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CountEventTick
                                                                                                                        • String ID: !D@$,aF
                                                                                                                        • API String ID: 180926312-3317875915
                                                                                                                        • Opcode ID: b4b3390053981d38c80c8200547d71c1ca6c0f20041a820cf3086d4d0d69dbe3
                                                                                                                        • Instruction ID: a18c2cf71696728a803f4d48a8d0c2278a59ecc2ec6ff56e3a85b819d46b2ac8
                                                                                                                        • Opcode Fuzzy Hash: b4b3390053981d38c80c8200547d71c1ca6c0f20041a820cf3086d4d0d69dbe3
                                                                                                                        • Instruction Fuzzy Hash: 4F51B6315082019AC724FB32D852AFF73A5AF94304F50483FF546671E2EF3C5945C68A
                                                                                                                        Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                                                                                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateThread$LocalTimewsprintf
                                                                                                                        • String ID: Offline Keylogger Started
                                                                                                                        • API String ID: 465354869-4114347211
                                                                                                                        • Opcode ID: 65b1263dcc7883baa16166281f0555c198997a04d1fee686ac67756b60de1f4f
                                                                                                                        • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                                        • Opcode Fuzzy Hash: 65b1263dcc7883baa16166281f0555c198997a04d1fee686ac67756b60de1f4f
                                                                                                                        • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                                        Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                        • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                                                                                                        • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 1818849710-4028850238
                                                                                                                        • Opcode ID: 944061157b2f8cf5ce0fe9502f04d7932ff2a7d7d8f180209318ac9fb18fc527
                                                                                                                        • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                                        • Opcode Fuzzy Hash: 944061157b2f8cf5ce0fe9502f04d7932ff2a7d7d8f180209318ac9fb18fc527
                                                                                                                        • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                                        Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 00404DB3
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 00404DC7
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3360349984-0
                                                                                                                        • Opcode ID: e8441bacfe08cd71b5d71c6101ee9caccbc5e80c28f84364c3400df26321d58f
                                                                                                                        • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                                        • Opcode Fuzzy Hash: e8441bacfe08cd71b5d71c6101ee9caccbc5e80c28f84364c3400df26321d58f
                                                                                                                        • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                                        Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleReadSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3919263394-0
                                                                                                                        • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                                                                                                        • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                                        • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                                                                                                        • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                                        Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                                        • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateErrorLastMutex
                                                                                                                        • String ID: 0SG
                                                                                                                        • API String ID: 1925916568-2718230054
                                                                                                                        • Opcode ID: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                                                                                                        • Instruction ID: 897831e38bae895769414ba5eaefcaa992d87aaaa8244aa01aad5f1db7de32a1
                                                                                                                        • Opcode Fuzzy Hash: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                                                                                                        • Instruction Fuzzy Hash: 62D012B0614301EBDB0467709C5975936559B44702F50487AB50BD95F1CBFC88D08519
                                                                                                                        Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                                        • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EventObjectSingleWaitsend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3963590051-0
                                                                                                                        • Opcode ID: 80c7fea73abe22e7e454ca4c608e8bd367ca1317486abb7208023f805754322d
                                                                                                                        • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                                                                                                        • Opcode Fuzzy Hash: 80c7fea73abe22e7e454ca4c608e8bd367ca1317486abb7208023f805754322d
                                                                                                                        • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                                                                                                        Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: e238dbc9e2073977e027648aa5af93dfac856dda57be128719874f60decc0002
                                                                                                                        • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                                                        • Opcode Fuzzy Hash: e238dbc9e2073977e027648aa5af93dfac856dda57be128719874f60decc0002
                                                                                                                        • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                                                        Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                                                                        • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                                        • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                        • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                                                                        • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                                                        • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                                                                        Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                                                                                                        • _free.LIBCMT ref: 0044F49A
                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EnvironmentStrings$Free_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2716640707-0
                                                                                                                        • Opcode ID: 529e42a1fa36a4ac6123fcdb0dfb42304a8dc5a6142a13bb334c2dd4b346bc22
                                                                                                                        • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                                                                                                        • Opcode Fuzzy Hash: 529e42a1fa36a4ac6123fcdb0dfb42304a8dc5a6142a13bb334c2dd4b346bc22
                                                                                                                        • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                                                                                                        Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                        • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                                                        • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                        • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                                                        Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                                                                                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                                                                                                        • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3677997916-0
                                                                                                                        • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                        • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                                                        • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                                                        • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                                                        Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                        • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                        • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1818849710-0
                                                                                                                        • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                        • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                                                        • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                        • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                                                        Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen
                                                                                                                        • String ID: 0Z
                                                                                                                        • API String ID: 176396367-4257796039
                                                                                                                        • Opcode ID: de129d127ca67ea1a753d85601f70d90f750fdfe4a2104a943af0387f97755ca
                                                                                                                        • Instruction ID: d045c5f40cf3cd8d18dd0e016010c764e1ae3afdbf5b32035de166f485dbb4de
                                                                                                                        • Opcode Fuzzy Hash: de129d127ca67ea1a753d85601f70d90f750fdfe4a2104a943af0387f97755ca
                                                                                                                        • Instruction Fuzzy Hash: 681193319002059BCB15EF66E842AEE7BB5AF54314B10403FF446672E2EF78AD15CB98
                                                                                                                        Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: GlobalMemoryStatus
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 1890195054-2766056989
                                                                                                                        • Opcode ID: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                                                                                                        • Instruction ID: 3eac6c9810fdf3f5cdd4c6aee73cb3509883e52e26c84b2cc96e0464d85798e3
                                                                                                                        • Opcode Fuzzy Hash: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                                                                                                        • Instruction Fuzzy Hash: F6D017B58023189FC720DFA8E804A8DBBFCEB08210F00456AEC49E3300E770EC008B84
                                                                                                                        Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00446227
                                                                                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                        • HeapReAlloc.KERNEL32(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Heap$AllocAllocate_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2447670028-0
                                                                                                                        • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                                                                        • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                                                                        • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                                                                        • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                                                                        Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • socket.WS2_32(00000002,00000001,00000006), ref: 00404852
                                                                                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                                                          • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateEventStartupsocket
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1953588214-0
                                                                                                                        • Opcode ID: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                                                                                                        • Instruction ID: d30f6c82ceabff406a890a607b6903e59214fa94f63df9469096212d3e1caec2
                                                                                                                        • Opcode Fuzzy Hash: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                                                                                                        • Instruction Fuzzy Hash: F90171B1408B809ED7359F28A8456967FE0AB55304F044D6EF1DA97B92D3B5A881CB18
                                                                                                                        Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                        • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                                                        • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                        • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                                                        Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32 ref: 0041BB49
                                                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$ForegroundText
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 29597999-0
                                                                                                                        • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                        • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                                                                        • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                                                        • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                                                                        Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00472AF0,004750F4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                                                                                                        • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                                                                                                          • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                          • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                          • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                          • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                          • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                          • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                          • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                          • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1170566393-0
                                                                                                                        • Opcode ID: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                                                                                                        • Instruction ID: b2b0aefd8e35b341f4c894e58f46b645776b5e98a3349e02c71c7f637998c076
                                                                                                                        • Opcode Fuzzy Hash: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                                                                                                        • Instruction Fuzzy Hash: 9DD05B322005316BD310576D6C00FFB569EDFD7760B110037F404D3251DA949C8247AC
                                                                                                                        Function 004118ED Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                        • Instruction ID: 3af98ca860494c99acd04ebe2bb4cc6dc665ec8dea8eb108ba88c8789d347e54
                                                                                                                        • Opcode Fuzzy Hash: 3a029944d771eb8a1b2846a7b5ac2838134afd3be6a211902ab956b72bc11154
                                                                                                                        • Instruction Fuzzy Hash: 9411E3B27201019FD7149B18C860BA6B766FF50710F5942AAE256CB3B2DB35EC91CA98
                                                                                                                        Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1279760036-0
                                                                                                                        • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                        • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                                        • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                        • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                                                        Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Startup
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 724789610-0
                                                                                                                        • Opcode ID: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                                                                                                        • Instruction ID: 8755cd578eecc9cf916cb98f31ec890f8d4d8ec8e876fe09ba6f20fbb4fb2f80
                                                                                                                        • Opcode Fuzzy Hash: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                                                                                                        • Instruction Fuzzy Hash: 02D0123255C60CCED620ABB4AD0F8A4775CC717616F0403BA6CB5C26D7E6405A2DC2AB
                                                                                                                        Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Deallocatestd::_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1323251999-0
                                                                                                                        • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                        • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                                                        • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                        • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                                                                        Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: recv
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1507349165-0
                                                                                                                        • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                        • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                                                                        • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                                                        • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                                                                        Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: send
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2809346765-0
                                                                                                                        • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                        • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                                                                        • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                                                        • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725
                                                                                                                        Function 00411CDE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4275171209-0
                                                                                                                        • Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                        • Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
                                                                                                                        • Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
                                                                                                                        • Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

                                                                                                                        Non-executed Functions

                                                                                                                        Function 0040569A Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 278pipesleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                                        • CreatePipe.KERNEL32(00476CDC,00476CC4,00476BE8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                                        • CreatePipe.KERNEL32(00476CC8,00476CE4,00476BE8,00000000), ref: 004057CC
                                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 0040583F
                                                                                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0,004660D0,00000062,004660B4), ref: 004059E4
                                                                                                                        • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                                        • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                                        • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                                        • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                                        • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                        • String ID: @lG$@lG$@lG$@lG$@lG$SystemDrive$cmd.exe$kG$lG$lG$lG$lG
                                                                                                                        • API String ID: 2994406822-3565532687
                                                                                                                        • Opcode ID: ed62c23c53725221b76e836c66f223a8bd45fa763fe8e4e58d6a84668ac982bc
                                                                                                                        • Instruction ID: efba9956b6c01968ba48be3e84054341744464a70a9fb060b5e58b4ef4e39929
                                                                                                                        • Opcode Fuzzy Hash: ed62c23c53725221b76e836c66f223a8bd45fa763fe8e4e58d6a84668ac982bc
                                                                                                                        • Instruction Fuzzy Hash: ED91B271600604AFD711FB35AD41A6B3AAAEB84344F01443FF549A72E2DB7D9C488F6D
                                                                                                                        Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                                          • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C37D
                                                                                                                          • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C3AD
                                                                                                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C402
                                                                                                                          • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C463
                                                                                                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C46A
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                                          • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                          • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                          • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                          • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                        • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                                                                          • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                        • String ID: (aF$8PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$hPG$hPG$hPG$hPG$open
                                                                                                                        • API String ID: 1067849700-1785547828
                                                                                                                        • Opcode ID: 7d838f67f1e8217f424b98296d8301489d3d18191cf4cc2d13ec93ff269f2030
                                                                                                                        • Instruction ID: d596b55e62c6dc406d7f5c06aadeacefb76b4acf2f669351df47ebe9cc805958
                                                                                                                        • Opcode Fuzzy Hash: 7d838f67f1e8217f424b98296d8301489d3d18191cf4cc2d13ec93ff269f2030
                                                                                                                        • Instruction Fuzzy Hash: 9F4282716043016BC604FB76C9579AE77A9AF91348F80483FF582671E2EE7C9908C79B
                                                                                                                        Function 00412132 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                                          • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                          • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                          • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                        • String ID: (TG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$RG
                                                                                                                        • API String ID: 3018269243-1913798818
                                                                                                                        • Opcode ID: 59c36cd5938545f1a1f240dfeccaea4fdfaec488e69936b44dccc71e2b46a8e1
                                                                                                                        • Instruction ID: 26abbb7e12f392f9fbc718c06b30ae47eaa1113e002934215aad22704783e961
                                                                                                                        • Opcode Fuzzy Hash: 59c36cd5938545f1a1f240dfeccaea4fdfaec488e69936b44dccc71e2b46a8e1
                                                                                                                        • Instruction Fuzzy Hash: 3C71A23160420167C604FB72CD579AE77A4AE94308F40097FF586A61E2FFBC9945C69E
                                                                                                                        Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseFile$FirstNext
                                                                                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                        • API String ID: 1164774033-3681987949
                                                                                                                        • Opcode ID: 18342867f734f2841e669af5083de8c2dab1af7c47cb6c1de474c139f9f473ff
                                                                                                                        • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                                        • Opcode Fuzzy Hash: 18342867f734f2841e669af5083de8c2dab1af7c47cb6c1de474c139f9f473ff
                                                                                                                        • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                                        Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32 ref: 004168FD
                                                                                                                        • EmptyClipboard.USER32 ref: 0041690B
                                                                                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                                        • CloseClipboard.USER32 ref: 00416990
                                                                                                                        • OpenClipboard.USER32 ref: 00416997
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                        • CloseClipboard.USER32 ref: 004169BF
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                        • String ID: !D@$xdF
                                                                                                                        • API String ID: 3520204547-3540039394
                                                                                                                        • Opcode ID: 39772432d56cfe4eb14fdac75839e1279500087a28f6359788c1c709076d09b9
                                                                                                                        • Instruction ID: 40a69bedac3bd734cdfdd6227e623399476ab8ebe6f0a7c245c4ec6d1d06efb6
                                                                                                                        • Opcode Fuzzy Hash: 39772432d56cfe4eb14fdac75839e1279500087a28f6359788c1c709076d09b9
                                                                                                                        • Instruction Fuzzy Hash: 16215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                                        Function 0040F4AF Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750F4,?,00475348), ref: 0040F4C9
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475348), ref: 0040F4F4
                                                                                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475348), ref: 0040F59E
                                                                                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00475348), ref: 0040F6A9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF$RG
                                                                                                                        • API String ID: 3756808967-1574553308
                                                                                                                        • Opcode ID: 277d96cf34d7a1c9247649cf876a047f244a6c2fe09a2f639ae2f5cdf8dbe9f6
                                                                                                                        • Instruction ID: f7ffc7f0dfbd756cb6275d6ec2ba0be94116b78c8c9f611e281f0170cc986b4a
                                                                                                                        • Opcode Fuzzy Hash: 277d96cf34d7a1c9247649cf876a047f244a6c2fe09a2f639ae2f5cdf8dbe9f6
                                                                                                                        • Instruction Fuzzy Hash: 4C7130705083419AC724FB21D8559AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                                        Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$Close$File$FirstNext
                                                                                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                        • API String ID: 3527384056-432212279
                                                                                                                        • Opcode ID: d80be7de76e7ea0c32fca0f5c326f19f203fb83dcddea2239218120f3223656a
                                                                                                                        • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                                        • Opcode Fuzzy Hash: d80be7de76e7ea0c32fca0f5c326f19f203fb83dcddea2239218120f3223656a
                                                                                                                        • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                                        Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 297527592-0
                                                                                                                        • Opcode ID: 99f17da9e7d54f956def1805155cc27ac6796c213d0ac5a717a51dbca6d250a6
                                                                                                                        • Instruction ID: cfdeae1586e3f17d3ae994cf28232467201964e06db1490d1c70a6fe2d897c90
                                                                                                                        • Opcode Fuzzy Hash: 99f17da9e7d54f956def1805155cc27ac6796c213d0ac5a717a51dbca6d250a6
                                                                                                                        • Instruction Fuzzy Hash: A841F371104301BBD7109F26EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                                        Function 00419662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0$1$2$3$4$5$6$7
                                                                                                                        • API String ID: 0-3177665633
                                                                                                                        • Opcode ID: 0a489d5e0e760ad1c7226f97b7491b422d815e77a9228981358e888a0221c37f
                                                                                                                        • Instruction ID: 3c74f5afe55031bef20d6cb4aa2bc38f0c43463ce83be6e36937eb537edf8bdf
                                                                                                                        • Opcode Fuzzy Hash: 0a489d5e0e760ad1c7226f97b7491b422d815e77a9228981358e888a0221c37f
                                                                                                                        • Instruction Fuzzy Hash: CB71E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                                        Function 0040A41B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112keyboardthreadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetForegroundWindow.USER32(?,?,00475100), ref: 0040A451
                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                        • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                                        • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                        • GetKeyboardState.USER32(?,?,00475100), ref: 0040A479
                                                                                                                        • ToUnicodeEx.USER32(00475154,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                                        • ToUnicodeEx.USER32(00475154,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                        • String ID: (kG
                                                                                                                        • API String ID: 1888522110-2813241365
                                                                                                                        • Opcode ID: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                                                                                                        • Instruction ID: 3b9a32d10988b9101c987d3e8fcb44953e801c6634267c48ca941b3c69dca571
                                                                                                                        • Opcode Fuzzy Hash: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                                                                                                        • Instruction Fuzzy Hash: F8316D72504308BFD700DFA0DC45F9B7BECAB88754F00083AB645D61A0D7B5E948CBA6
                                                                                                                        Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                          • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                          • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                          • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                          • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                        • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                                                                                                        • API String ID: 1589313981-3345310279
                                                                                                                        • Opcode ID: 3fe2131d6966d0e8fad4210f3d5d8942d0d933674c477fe61e392911f7ba54a0
                                                                                                                        • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                                        • Opcode Fuzzy Hash: 3fe2131d6966d0e8fad4210f3d5d8942d0d933674c477fe61e392911f7ba54a0
                                                                                                                        • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                                        Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 0040755C
                                                                                                                        • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Object_wcslen
                                                                                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                        • API String ID: 240030777-3166923314
                                                                                                                        • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                        • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                                        • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                                                        • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                                        Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0041A7EF
                                                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                                        • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3587775597-0
                                                                                                                        • Opcode ID: 9816c30dbe394c6d524d412892c8543da7174021f6f617124b5cdd31ab9446d7
                                                                                                                        • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                                        • Opcode Fuzzy Hash: 9816c30dbe394c6d524d412892c8543da7174021f6f617124b5cdd31ab9446d7
                                                                                                                        • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                                        Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$CloseFile$FirstNext
                                                                                                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                        • API String ID: 1164774033-405221262
                                                                                                                        • Opcode ID: 21e961ad14d8706e1764f249261524b51ee598c5394bc24aaf15d08685e82473
                                                                                                                        • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                                        • Opcode Fuzzy Hash: 21e961ad14d8706e1764f249261524b51ee598c5394bc24aaf15d08685e82473
                                                                                                                        • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                                        Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C37D
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C3AD
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C41F
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C42C
                                                                                                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C402
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C44D
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C463
                                                                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C46A
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752E8,00475300,00000001), ref: 0041C473
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2341273852-0
                                                                                                                        • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                        • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                                        • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                                                        • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                                        Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                        • API String ID: 2127411465-314212984
                                                                                                                        • Opcode ID: 9436917703c65525b4a410952c49ee231e67cb0b1ecbb4ffdc30b8bcb42e1b10
                                                                                                                        • Instruction ID: cc57822c2a7f940fffebe33daf0632284ddc1748a3b8d5e961f42c670a34d5b4
                                                                                                                        • Opcode Fuzzy Hash: 9436917703c65525b4a410952c49ee231e67cb0b1ecbb4ffdc30b8bcb42e1b10
                                                                                                                        • Instruction Fuzzy Hash: D1B1F671A0430066CA14BB76DC579AF36A89F91748F40053FB906671E2EE7D8A48C6DA
                                                                                                                        Function 00419B86 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Find$CreateFirstNext
                                                                                                                        • String ID: 8eF$HSG$`XG$`XG
                                                                                                                        • API String ID: 341183262-1600017543
                                                                                                                        • Opcode ID: accfc33dc57a604e27af96134d0191ce68d106d82a368cb52c92c61d86f6c167
                                                                                                                        • Instruction ID: 3e2b8d556a8fbdbb081ab446324185a4f3aab8361380fbf0113865ad31d0729a
                                                                                                                        • Opcode Fuzzy Hash: accfc33dc57a604e27af96134d0191ce68d106d82a368cb52c92c61d86f6c167
                                                                                                                        • Instruction Fuzzy Hash: 588151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                                        Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                                        Strings
                                                                                                                        • 0aF, xrefs: 0040701B
                                                                                                                        • open, xrefs: 00406FF1
                                                                                                                        • 0aF, xrefs: 0040712C
                                                                                                                        • C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, xrefs: 00407042, 0040716A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DownloadExecuteFileShell
                                                                                                                        • String ID: 0aF$0aF$C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe$open
                                                                                                                        • API String ID: 2825088817-3042448335
                                                                                                                        • Opcode ID: 3e5204223f81862385bda1ff5ee77873e60d5de2433c78ee8eabb6c6ac302f86
                                                                                                                        • Instruction ID: e12f74d6213dd3660153607da8c9b98f7978e2d251169c1aa1e307be856b925d
                                                                                                                        • Opcode Fuzzy Hash: 3e5204223f81862385bda1ff5ee77873e60d5de2433c78ee8eabb6c6ac302f86
                                                                                                                        • Instruction Fuzzy Hash: 1461C471A0830166CA14FB76C8569BE37A59F81758F40093FF9427B2D2EE3C9905C79B
                                                                                                                        Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                        • String ID: xdF
                                                                                                                        • API String ID: 1771804793-999140092
                                                                                                                        • Opcode ID: 7c418763470d7b3aabd9e6643c5c4acf49ae96c78e6666d42e12ab98fb5e58f7
                                                                                                                        • Instruction ID: 967e03bdddb214c30410211942a515ee3c29859e80101891d5c5db132fd2cd64
                                                                                                                        • Opcode Fuzzy Hash: 7c418763470d7b3aabd9e6643c5c4acf49ae96c78e6666d42e12ab98fb5e58f7
                                                                                                                        • Instruction Fuzzy Hash: 94517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB99
                                                                                                                        Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                                        • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                                        Strings
                                                                                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                                        • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                                        • UserProfile, xrefs: 0040BA59
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                        • API String ID: 2018770650-1062637481
                                                                                                                        • Opcode ID: f735e23f7dcfc65e86eae542564970378c4dfd97017e1c5c6a7a7620e2e54c45
                                                                                                                        • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                                        • Opcode Fuzzy Hash: f735e23f7dcfc65e86eae542564970378c4dfd97017e1c5c6a7a7620e2e54c45
                                                                                                                        • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                                        Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                        • GetLastError.KERNEL32 ref: 004179D8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                                        • API String ID: 3534403312-3733053543
                                                                                                                        • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                        • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                                        • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                        • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                                        Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __floor_pentium4
                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                        • API String ID: 4168288129-2761157908
                                                                                                                        • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                                                                        • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                                                                                                        • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                                                                                                        • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                                                                                                        Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 00409293
                                                                                                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,005B18D8,00000010), ref: 004048E0
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                                                          • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                                                          • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                                                        • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                                                                                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1824512719-0
                                                                                                                        • Opcode ID: b2b434ce7426053d64b7d7204c7279a561b4afbf635646bc6f585a4d2455e9bc
                                                                                                                        • Instruction ID: 7a56ba3823c44b8d3dadbfeca74e3365e00ee059376cf1b582d15bdd70b30780
                                                                                                                        • Opcode Fuzzy Hash: b2b434ce7426053d64b7d7204c7279a561b4afbf635646bc6f585a4d2455e9bc
                                                                                                                        • Instruction Fuzzy Hash: 8AB19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                                        Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 276877138-0
                                                                                                                        • Opcode ID: 628d36ac3c64f627b3a8437270a5a78b3dcfd045bfbfd251d1d1fe9a009dd844
                                                                                                                        • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                                        • Opcode Fuzzy Hash: 628d36ac3c64f627b3a8437270a5a78b3dcfd045bfbfd251d1d1fe9a009dd844
                                                                                                                        • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                                        Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                                                                                        • GetACP.KERNEL32 ref: 00452593
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID: ACP$OCP
                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                        • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                        • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                                        • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                        • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                                        Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$FirstNextsend
                                                                                                                        • String ID: 8eF$hPG$hPG
                                                                                                                        • API String ID: 4113138495-2076665626
                                                                                                                        • Opcode ID: 8bc6f1c049eb748117423e0a1ee21199b3bb83b849aefd3dbb2dc9b80533fde4
                                                                                                                        • Instruction ID: abfa5a3658aec55442980c0effbd4670719d50d4d7308f226e3cac976b3f196c
                                                                                                                        • Opcode Fuzzy Hash: 8bc6f1c049eb748117423e0a1ee21199b3bb83b849aefd3dbb2dc9b80533fde4
                                                                                                                        • Instruction Fuzzy Hash: CB2195315082019BC314FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA09C65B
                                                                                                                        Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                          • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                          • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                                                                                                          • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                        • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                        • API String ID: 4127273184-3126330168
                                                                                                                        • Opcode ID: 1dafd4e115d1579546cfd655b47399d1506d96e03fc201f2c1b7b85ae65ff372
                                                                                                                        • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                                        • Opcode Fuzzy Hash: 1dafd4e115d1579546cfd655b47399d1506d96e03fc201f2c1b7b85ae65ff372
                                                                                                                        • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                                        Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                                                                        • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                                        • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                                        • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                        • String ID: SETTINGS
                                                                                                                        • API String ID: 3473537107-594951305
                                                                                                                        • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                                                                        • Instruction ID: e87eb13c1a863bb520e8110b03cd0e44f0123e9e346c2db4eb51eb31bea7c0b5
                                                                                                                        • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                                                                                                        • Instruction Fuzzy Hash: 23E01276600B21EBDB211FB1AC8CD467F25E7C9B533140075FA0582271CB758840DA58
                                                                                                                        Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1157919129-0
                                                                                                                        • Opcode ID: de8d8d0edd5d8a61424aad092ce358860c9bac6e1758b4239eab40e65a7e58a3
                                                                                                                        • Instruction ID: 095255599cc0af9be2c5710cd9f248f54336688560ad7ccdcde9a73cf5c292f5
                                                                                                                        • Opcode Fuzzy Hash: de8d8d0edd5d8a61424aad092ce358860c9bac6e1758b4239eab40e65a7e58a3
                                                                                                                        • Instruction Fuzzy Hash: CB813C729001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                                        Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                        • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 745075371-0
                                                                                                                        • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                        • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                                        • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                        • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                                        Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                          • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                                                          • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                                                                                                          • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                        • API String ID: 4127273184-3576401099
                                                                                                                        • Opcode ID: 38de7b8f93cc63befc86a6024166ffcd902dfb784ac7839172e09a357c8b3fe7
                                                                                                                        • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                                                                                        • Opcode Fuzzy Hash: 38de7b8f93cc63befc86a6024166ffcd902dfb784ac7839172e09a357c8b3fe7
                                                                                                                        • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                                                                                        Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                        • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                                                                        • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4212172061-0
                                                                                                                        • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                                        • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                                        • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                                        • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                                        Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 0044943D
                                                                                                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                        • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 806657224-0
                                                                                                                        • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                                        • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                                                                                        • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                                        • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                                                                                        Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2829624132-0
                                                                                                                        • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                                        • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                                        • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                                        • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                                        Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3906539128-0
                                                                                                                        • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                        • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                                                        • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                        • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                                                        Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3906539128-0
                                                                                                                        • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                        • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                                        • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                        • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                                        Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                                                        • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1703294689-0
                                                                                                                        • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                        • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                                        • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                        • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                                        Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                                        • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1703294689-0
                                                                                                                        • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                        • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                                        • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                        • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                                        Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                                                                        • CloseClipboard.USER32 ref: 0040B760
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$CloseDataOpen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2058664381-0
                                                                                                                        • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                        • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                                        • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                                                        • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                                        Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                                                                        • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseHandleOpenResume
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3614150671-0
                                                                                                                        • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                        • Instruction ID: dbaabbb0ea2570487ff62d8cf89bd30b477e7113d13ca21b8680662729a76e86
                                                                                                                        • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                                                        • Instruction Fuzzy Hash: 66D05E36204121E3C320176A7C0CD97AD68DBC5AA2705412AF804C26649A60CC0186E4
                                                                                                                        Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                                                                        • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseHandleOpenSuspend
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1999457699-0
                                                                                                                        • Opcode ID: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                                                                                                        • Instruction ID: 1e4755145751be78863ec26184204985b99a3e1fec7ed1e2fa2d7a7f5aac3163
                                                                                                                        • Opcode Fuzzy Hash: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                                                                                                        • Instruction Fuzzy Hash: 73D05E36104121E3C6211B6A7C0CD97AD68DFC5AA2705412AF904D26509A20CC0186E4
                                                                                                                        Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FeaturePresentProcessor
                                                                                                                        • String ID: MZ@
                                                                                                                        • API String ID: 2325560087-2978689999
                                                                                                                        • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                        • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                                                        • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                        • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                                                        Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoLocale
                                                                                                                        • String ID: GetLocaleInfoEx
                                                                                                                        • API String ID: 2299586839-2904428671
                                                                                                                        • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                                                                        • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                                        • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                                                                        • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                                        Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                        • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                                                                        • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                        • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                                                                        Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3997070919-0
                                                                                                                        • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                                                                        • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                                                                                                        • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                                                                                                        • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                                                                                                        Function 1000B5C1 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,1000B5BC,?,?,00000008,?,?,1000B25C,00000000), ref: 1000B7EE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionRaise
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3997070919-0
                                                                                                                        • Opcode ID: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                        • Instruction ID: c899a2dc376e060411cab8954cdd4c29929d9ba6cfa71f030d59b99a2ca162da
                                                                                                                        • Opcode Fuzzy Hash: 5385f7ee1153a66eb2669645b58237e3e0719d9079e030963b5c19e75e4dc3f3
                                                                                                                        • Instruction Fuzzy Hash: 0DB16B31610A09CFE755CF28C486B647BE0FF453A4F25C658E89ACF2A5C735E982CB40
                                                                                                                        Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0
                                                                                                                        • API String ID: 0-4108050209
                                                                                                                        • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                                                                        • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                                                                                                        • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                                                                                                        • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                                                                                                        Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1663032902-0
                                                                                                                        • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                        • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                                        • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                        • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                                        Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                        • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1084509184-0
                                                                                                                        • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                                        • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                                        • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                                        • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                                        Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2692324296-0
                                                                                                                        • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                                        • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                                        • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                                        • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                                        Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                        • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1084509184-0
                                                                                                                        • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                                        • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                                        • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                                        • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                                        Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                        • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1272433827-0
                                                                                                                        • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                        • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                                        • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                        • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                                        Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                        • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1084509184-0
                                                                                                                        • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                        • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                                        • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                        • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                                        Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3192549508-0
                                                                                                                        • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                        • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                                                        • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                        Function 0043E34B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: RGw@
                                                                                                                        • API String ID: 0-316194375
                                                                                                                        • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                                                                        • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                                                                                                        • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                                                                                                        • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                                                                                                        Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: @
                                                                                                                        • API String ID: 0-2766056989
                                                                                                                        • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                        • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                                                                                                        • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                                                                                                        • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                                                                                                        Function 10017194 Relevance: .8, Instructions: 751COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                        • Instruction ID: 44f99013a838546abf86f75096a930c39f9ce457c7277da91ad5f6740c4fb7fb
                                                                                                                        • Opcode Fuzzy Hash: f12bac2ceacaba3709f449de7301e54826307763cc64d35c491f096f7cc92462
                                                                                                                        • Instruction Fuzzy Hash: 89628C316083958FD324DF28C48469ABBF1FF85384F154A2DE9E98B391E771D989CB42
                                                                                                                        Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                                                                        • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                                                                                                        • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                                                                                                        • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                                                                                                        Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                                                                        • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                                                                                                        • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                                                                                                        • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                                                                                                        Function 0042742E Relevance: .4, Instructions: 435COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                                                                        • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                                                                                                        • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                                                                                                        • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                                                                                                        Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                                                                        • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                                                                                                        • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                                                                                                        • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                                                                                                        Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                        • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                                                                                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                        • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                                                                                                        Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                        • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                                                                                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                        • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                                                                                                        Function 0043797E Relevance: .3, Instructions: 331COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                        • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                                                                                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                                                        • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                                                                                                        Function 00437566 Relevance: .3, Instructions: 323COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                        • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                                                                                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                        • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                                                                                                        Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                                                                        • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                                                                                                        • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                                                                                                        • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                                                                                                        Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                                                                        • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                                                                                                        • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                                                                                                        • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                                                                                                        Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                        • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                                                                                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                                                                                        • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                                                                                                        Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                        • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                                                                                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                                                                                        • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                                                                                                        Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                                                                        • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                                                                                                        • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                                                                                                        • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                                                                                                        Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                        • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                                                                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                        • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                                                                                                        Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                                          • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                                        • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                                                                        • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                                                                        • DeleteObject.GDI32(?), ref: 00419027
                                                                                                                        • DeleteObject.GDI32(?), ref: 00419034
                                                                                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00660046), ref: 00419077
                                                                                                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                                        • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                                        • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                                        • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                                                        • DeleteDC.GDI32(?), ref: 00419293
                                                                                                                        • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                                                        • String ID: DISPLAY
                                                                                                                        • API String ID: 4256916514-865373369
                                                                                                                        • Opcode ID: f9e65dbfa61e51f6a49948392e74cf52d1b74234f8e5b27367180c65f1131f64
                                                                                                                        • Instruction ID: 987d9a4534759b20ade43e5cc0d007ec6aae9fd5378911baa39845865ae00971
                                                                                                                        • Opcode Fuzzy Hash: f9e65dbfa61e51f6a49948392e74cf52d1b74234f8e5b27367180c65f1131f64
                                                                                                                        • Instruction Fuzzy Hash: D8C15C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                                        Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                                          • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                                                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                          • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                        • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$tMG$wend$while fso.FileExists("$xdF$xpF
                                                                                                                        • API String ID: 1861856835-1567776996
                                                                                                                        • Opcode ID: 378485639873f91e3566d37bd4c9dc270e24a7b07407a649f66661562ec7a51b
                                                                                                                        • Instruction ID: 74aa42f7ec26bf67edaf4e1a165d404297a62af2c65c2789fcbb2c22ca84ca6d
                                                                                                                        • Opcode Fuzzy Hash: 378485639873f91e3566d37bd4c9dc270e24a7b07407a649f66661562ec7a51b
                                                                                                                        • Instruction Fuzzy Hash: B991B1316082005AC315FB62D8529AFB3A8AF94309F50443FB64AA71E3EF7C9D49C65E
                                                                                                                        Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D1E0
                                                                                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D223
                                                                                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D232
                                                                                                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                                          • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                                                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                        • String ID: ")$.vbs$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$tMG$wend$while fso.FileExists("$xdF$xpF
                                                                                                                        • API String ID: 3797177996-4161133245
                                                                                                                        • Opcode ID: e15819e857d9987a51c00828583a567b15247957f90308f654141713cde74a36
                                                                                                                        • Instruction ID: d04a29aa4e51556796b06844e147f4a7cb6a24a543372ca0e3e4f3e54a9e1c14
                                                                                                                        • Opcode Fuzzy Hash: e15819e857d9987a51c00828583a567b15247957f90308f654141713cde74a36
                                                                                                                        • Instruction Fuzzy Hash: 7781A1716082405BC715FB62D8529AF73A8AF94308F10443FB58A671E3EF7C9E49C69E
                                                                                                                        Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750F4,00000003), ref: 004124CF
                                                                                                                        • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                                        • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                                        • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                                          • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                        • String ID: (TG$.exe$HSG$WDH$exepath$open$temp_
                                                                                                                        • API String ID: 2649220323-4116078715
                                                                                                                        • Opcode ID: 1946e344db4618885ae756797aea411b1648c6a2fe0413653f6271bec6169604
                                                                                                                        • Instruction ID: 24c9a3d3f9f851b6826daa3a71410153ee30a0e468f06c14c2e22e8a151f545e
                                                                                                                        • Opcode Fuzzy Hash: 1946e344db4618885ae756797aea411b1648c6a2fe0413653f6271bec6169604
                                                                                                                        • Instruction Fuzzy Hash: B551C771A00315BBDB10ABA09C99EFE336D9B04755F10416BF901E72D2EFBC8E85865D
                                                                                                                        Function 0041B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EF0,00000000), ref: 0041B21F
                                                                                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                                        • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                                        • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                                        • API String ID: 738084811-1354618412
                                                                                                                        • Opcode ID: 2b11b628c45eca99bb5b49995ec9e5e18930bda2377682f573c436d8876ee9d7
                                                                                                                        • Instruction ID: 3073296416e4f75d74a960dba2816641598052066ba22d453d93bca4cbe87184
                                                                                                                        • Opcode Fuzzy Hash: 2b11b628c45eca99bb5b49995ec9e5e18930bda2377682f573c436d8876ee9d7
                                                                                                                        • Instruction Fuzzy Hash: 4E51A5B12442056ED714B731DC96EBF379CDB80359F10053FB24A621E2EF789D4986AE
                                                                                                                        Function 00401CE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401D7F
                                                                                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401D8F
                                                                                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401D9F
                                                                                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401DAF
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401DBF
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401DD0
                                                                                                                        • WriteFile.KERNEL32(00000000,00472ACA,00000002,00000000,00000000), ref: 00401DE1
                                                                                                                        • WriteFile.KERNEL32(00000000,00472ACC,00000004,00000000,00000000), ref: 00401DF1
                                                                                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401E01
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401E12
                                                                                                                        • WriteFile.KERNEL32(00000000,00472AD6,00000002,00000000,00000000), ref: 00401E23
                                                                                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401E33
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401E43
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Write$Create
                                                                                                                        • String ID: RIFF$WAVE$data$fmt
                                                                                                                        • API String ID: 1602526932-4212202414
                                                                                                                        • Opcode ID: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                                                                        • Instruction ID: 52f5d26e7cd893c7c7a939122a780f0294375d64c437cdec10b118f5e091287a
                                                                                                                        • Opcode Fuzzy Hash: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                                                                                                        • Instruction Fuzzy Hash: 61414D72644208BAE210DB51DD85FBB7FECEB89F54F40041AFA44D6081E7A5E909DBB3
                                                                                                                        Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe,00000003,004076B0,004752E8,00407709), ref: 004072BF
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                        • String ID: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                        • API String ID: 1646373207-4114833711
                                                                                                                        • Opcode ID: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                                                                        • Instruction ID: 830827c477b4c5a159b6e54fb752daf43fd3ce12eed95b51e760902f95858ec4
                                                                                                                        • Opcode Fuzzy Hash: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                                                                                                        • Instruction Fuzzy Hash: 66015EA0E4431676DB116F7AAD44D5B7EDD9E41351311087BB405E2292EEBCE800C9AE
                                                                                                                        Function 0040CE34 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 203fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 0040CE42
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                                                                        • _wcslen.LIBCMT ref: 0040CF21
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                                        • _wcslen.LIBCMT ref: 0040D001
                                                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750F4,0000000E), ref: 0040D068
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                        • String ID: 6$C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe$del$open$xdF$RG$RG
                                                                                                                        • API String ID: 1579085052-2336034481
                                                                                                                        • Opcode ID: a676cd901b7bd79e7cee4fd0be3e685eae181f7aa0e3581a73b5b0b2dfd9b902
                                                                                                                        • Instruction ID: ff97e746579a928a3d51456624c9bd3823d06e613cf3e42bd6c526c8f9e3827f
                                                                                                                        • Opcode Fuzzy Hash: a676cd901b7bd79e7cee4fd0be3e685eae181f7aa0e3581a73b5b0b2dfd9b902
                                                                                                                        • Instruction Fuzzy Hash: 8051C620208302ABD615B7769C92A6F67999F84719F10443FF609BA1E3EF7C9C05866E
                                                                                                                        Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                          • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                          • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                        • _strlen.LIBCMT ref: 10001855
                                                                                                                        • _strlen.LIBCMT ref: 10001869
                                                                                                                        • _strlen.LIBCMT ref: 1000188B
                                                                                                                        • _strlen.LIBCMT ref: 100018AE
                                                                                                                        • _strlen.LIBCMT ref: 100018C8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _strlen$File$CopyCreateDelete
                                                                                                                        • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                        • API String ID: 3296212668-3023110444
                                                                                                                        • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                        • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                        • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                        • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                        Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                                        • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                                        • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                                        • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                                        • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                                        • GetLastError.KERNEL32 ref: 0041C204
                                                                                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                                                        • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                                        • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                                        • GetLastError.KERNEL32 ref: 0041C261
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                        • String ID: ?
                                                                                                                        • API String ID: 3941738427-1684325040
                                                                                                                        • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                        • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                                        • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                                                        • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                                        Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _strlen
                                                                                                                        • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                        • API String ID: 4218353326-230879103
                                                                                                                        • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                        • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                        • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                        • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                        Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3899193279-0
                                                                                                                        • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                                                        • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                                        • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                                                        • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                                        Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                                        • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                                        • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                                        • Shell_NotifyIconA.SHELL32(00000002,00474B58), ref: 0041D6EE
                                                                                                                        • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                                        • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                        • String ID: Close
                                                                                                                        • API String ID: 1657328048-3535843008
                                                                                                                        • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                                                                        • Instruction ID: b66198a42bffced696eb94d9f3abdc54ecf3157c52e3fd06dc0985426ba48be4
                                                                                                                        • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                                                                                                        • Instruction Fuzzy Hash: 51216BB1500208FFDF054FA4ED0EAAA7B35EB08302F000125FA19950B2D779EDA1EB18
                                                                                                                        Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$Info
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2509303402-0
                                                                                                                        • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                                                                        • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                                        • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                                                                        • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                                        Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                                        • __aulldiv.LIBCMT ref: 00408D88
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF
                                                                                                                        • API String ID: 3086580692-731956494
                                                                                                                        • Opcode ID: 9db4e91b95c76e5edbd292d4baa53beaf22e3459b4768787c96c6f20b69a6f91
                                                                                                                        • Instruction ID: 2d1ece25e1b497defd969945f9de4b01d63c4d7912a1bb42583949d7b10afa87
                                                                                                                        • Opcode Fuzzy Hash: 9db4e91b95c76e5edbd292d4baa53beaf22e3459b4768787c96c6f20b69a6f91
                                                                                                                        • Instruction Fuzzy Hash: 76B1A0316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB9B
                                                                                                                        Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                          • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                                                                          • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                                          • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                                        • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                        • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$Temp$exepath$open$xdF
                                                                                                                        • API String ID: 1913171305-3121233398
                                                                                                                        • Opcode ID: ea53210127afbc95078edb33410f87b374f1afdd9874f35c0ce5cc0d7b4dc831
                                                                                                                        • Instruction ID: 050033375253242a90a907d975c9615f3488646990559cd5331657e2136e0730
                                                                                                                        • Opcode Fuzzy Hash: ea53210127afbc95078edb33410f87b374f1afdd9874f35c0ce5cc0d7b4dc831
                                                                                                                        • Instruction Fuzzy Hash: 514139319001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E4ACA98
                                                                                                                        Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                        • String ID: \ws2_32$\wship6$getaddrinfo
                                                                                                                        • API String ID: 2490988753-3078833738
                                                                                                                        • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                                                                        • Instruction ID: 3afff981d8ce70f6205f85204df1f21ec1f12b20cff6a054e3a0857f0929e507
                                                                                                                        • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                                                                                                        • Instruction Fuzzy Hash: 3231C2B2906315ABD7209F65CC84EDF76DCAB84754F004A2AF984A3211D738D985CBAE
                                                                                                                        Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                                        • _free.LIBCMT ref: 0045137F
                                                                                                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                        • _free.LIBCMT ref: 004513A1
                                                                                                                        • _free.LIBCMT ref: 004513B6
                                                                                                                        • _free.LIBCMT ref: 004513C1
                                                                                                                        • _free.LIBCMT ref: 004513E3
                                                                                                                        • _free.LIBCMT ref: 004513F6
                                                                                                                        • _free.LIBCMT ref: 00451404
                                                                                                                        • _free.LIBCMT ref: 0045140F
                                                                                                                        • _free.LIBCMT ref: 00451447
                                                                                                                        • _free.LIBCMT ref: 0045144E
                                                                                                                        • _free.LIBCMT ref: 0045146B
                                                                                                                        • _free.LIBCMT ref: 00451483
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 161543041-0
                                                                                                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                        • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                        • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                                        Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                          • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                        • _free.LIBCMT ref: 10007CFB
                                                                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                        • _free.LIBCMT ref: 10007D1D
                                                                                                                        • _free.LIBCMT ref: 10007D32
                                                                                                                        • _free.LIBCMT ref: 10007D3D
                                                                                                                        • _free.LIBCMT ref: 10007D5F
                                                                                                                        • _free.LIBCMT ref: 10007D72
                                                                                                                        • _free.LIBCMT ref: 10007D80
                                                                                                                        • _free.LIBCMT ref: 10007D8B
                                                                                                                        • _free.LIBCMT ref: 10007DC3
                                                                                                                        • _free.LIBCMT ref: 10007DCA
                                                                                                                        • _free.LIBCMT ref: 10007DE7
                                                                                                                        • _free.LIBCMT ref: 10007DFF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 161543041-0
                                                                                                                        • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                        • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                        • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                        • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                        Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                        • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                                                        • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                        • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                                                        Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                                                                        • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                                        • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                                        • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                                                                        • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                                        • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                                        • GetLastError.KERNEL32 ref: 00455F31
                                                                                                                        • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                        • String ID: H
                                                                                                                        • API String ID: 4237864984-2852464175
                                                                                                                        • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                        • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                                        • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                        • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                                        Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID: \&G$\&G$`&G
                                                                                                                        • API String ID: 269201875-253610517
                                                                                                                        • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                                                                        • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                                        • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                                                                        • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                                        Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 65535$udp
                                                                                                                        • API String ID: 0-1267037602
                                                                                                                        • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                        • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                                        • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                        • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                                        Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenClipboard.USER32 ref: 0041697C
                                                                                                                        • EmptyClipboard.USER32 ref: 0041698A
                                                                                                                        • CloseClipboard.USER32 ref: 00416990
                                                                                                                        • OpenClipboard.USER32 ref: 00416997
                                                                                                                        • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                        • CloseClipboard.USER32 ref: 004169BF
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                        • String ID: !D@$xdF
                                                                                                                        • API String ID: 2172192267-3540039394
                                                                                                                        • Opcode ID: b4eebd8064e1d3ae19988ffe7f9e4a79f94da60c764102ad9dda3ddd019c80b2
                                                                                                                        • Instruction ID: 51ec5b3583c04982a71d168622c94cade283f75070810aedfe93923cca0dc87c
                                                                                                                        • Opcode Fuzzy Hash: b4eebd8064e1d3ae19988ffe7f9e4a79f94da60c764102ad9dda3ddd019c80b2
                                                                                                                        • Instruction Fuzzy Hash: 41014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                                        Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                                        • GetLastError.KERNEL32(?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                                        • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                                        • GetLastError.KERNEL32(?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                                        • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401BD9,?), ref: 0043A9A6
                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                                        • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                                        • _free.LIBCMT ref: 0043A9C3
                                                                                                                        • _free.LIBCMT ref: 0043A9CA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2441525078-0
                                                                                                                        • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                                                                        • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                                        • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                                                                        • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                                        Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                                                        • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                                        • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 00405641
                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                        • API String ID: 2956720200-749203953
                                                                                                                        • Opcode ID: 3336607e39b1b4ff5df34c0ce816a9060e27ed979468bf0fe2aedc8f23f0a7c4
                                                                                                                        • Instruction ID: af141abdc89e6f99b360bf73ca1bd21391e8bea30a055eafc68b1e1601de11b4
                                                                                                                        • Opcode Fuzzy Hash: 3336607e39b1b4ff5df34c0ce816a9060e27ed979468bf0fe2aedc8f23f0a7c4
                                                                                                                        • Instruction Fuzzy Hash: 6F419E71604301ABCB14FB76DC5A86F37A9AB85704F40493EF516A32E1EF3C8905CB9A
                                                                                                                        Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                                        • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                        • String ID: <$@$@VG$@VG$Temp
                                                                                                                        • API String ID: 1704390241-1291085672
                                                                                                                        • Opcode ID: 729328760b6d8754d2d8465bacbdfac456b4ffc36ce0e0137ca47fd0a7c35a22
                                                                                                                        • Instruction ID: 17e4c8e037c7e297ff37edeb8814921eaebe5ca95f3622e3753009d7d6553322
                                                                                                                        • Opcode Fuzzy Hash: 729328760b6d8754d2d8465bacbdfac456b4ffc36ce0e0137ca47fd0a7c35a22
                                                                                                                        • Instruction Fuzzy Hash: 15417E319002199ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                                        Function 004073E7 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 99COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32(00472B28,00000000,RGw@,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                                        • GetCurrentProcess.KERNEL32(00472B28,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe), ref: 004074D9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CurrentProcess
                                                                                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$RGw@
                                                                                                                        • API String ID: 2050909247-1783200977
                                                                                                                        • Opcode ID: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                                                                                                        • Instruction ID: b8c3dc73ce560081c95a6921e0e4b034ac7c55c8f908ce4a4bfc67d5bc942e58
                                                                                                                        • Opcode Fuzzy Hash: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                                                                                                        • Instruction Fuzzy Hash: 7631C271604700ABD311EF65DE46F1677A8FB48315F10087EF509E6292DBB8B8418B6E
                                                                                                                        Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                                        • int.LIBCPMT ref: 00410EBC
                                                                                                                          • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                          • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                        • String ID: <kG$@!G$@kG
                                                                                                                        • API String ID: 3815856325-4100743575
                                                                                                                        • Opcode ID: 92c60c4b3aca24074658904995ff5281d88556c34e2f97828f11a1926fe6b537
                                                                                                                        • Instruction ID: 0588f859592fb32d2b707c82d02c9514845f82bff388d80d729849e078334d39
                                                                                                                        • Opcode Fuzzy Hash: 92c60c4b3aca24074658904995ff5281d88556c34e2f97828f11a1926fe6b537
                                                                                                                        • Instruction Fuzzy Hash: 622107329005249BCB14FBAAD8429DE7769DF48324F21416FF904E72D1DBB9AD818BDC
                                                                                                                        Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 221034970-0
                                                                                                                        • Opcode ID: f3cbb515e58a4fb37b38339a7557c8d97296d1e23fa900708d81cf8e9cd3026f
                                                                                                                        • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                                        • Opcode Fuzzy Hash: f3cbb515e58a4fb37b38339a7557c8d97296d1e23fa900708d81cf8e9cd3026f
                                                                                                                        • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                                        Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 004481B5
                                                                                                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                        • _free.LIBCMT ref: 004481C1
                                                                                                                        • _free.LIBCMT ref: 004481CC
                                                                                                                        • _free.LIBCMT ref: 004481D7
                                                                                                                        • _free.LIBCMT ref: 004481E2
                                                                                                                        • _free.LIBCMT ref: 004481ED
                                                                                                                        • _free.LIBCMT ref: 004481F8
                                                                                                                        • _free.LIBCMT ref: 00448203
                                                                                                                        • _free.LIBCMT ref: 0044820E
                                                                                                                        • _free.LIBCMT ref: 0044821C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                        • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                                        • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                        • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                                        Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 100059EA
                                                                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                        • _free.LIBCMT ref: 100059F6
                                                                                                                        • _free.LIBCMT ref: 10005A01
                                                                                                                        • _free.LIBCMT ref: 10005A0C
                                                                                                                        • _free.LIBCMT ref: 10005A17
                                                                                                                        • _free.LIBCMT ref: 10005A22
                                                                                                                        • _free.LIBCMT ref: 10005A2D
                                                                                                                        • _free.LIBCMT ref: 10005A38
                                                                                                                        • _free.LIBCMT ref: 10005A43
                                                                                                                        • _free.LIBCMT ref: 10005A51
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                        • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                        • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                        • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                        Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                                        • GdiplusStartup.GDIPLUS(00474AE0,?,00000000), ref: 0041A07C
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                                        • API String ID: 489098229-3790400642
                                                                                                                        • Opcode ID: 5919f3c6d8937f10c9d3a57548d59e68e1aceb692d4a34d8b1fbfbe8317266ff
                                                                                                                        • Instruction ID: ac563f1b8c988fbcbdb25ffa0f060f034023d1de15a29d9718e9897573209577
                                                                                                                        • Opcode Fuzzy Hash: 5919f3c6d8937f10c9d3a57548d59e68e1aceb692d4a34d8b1fbfbe8317266ff
                                                                                                                        • Instruction Fuzzy Hash: 3F518E70A00215AACB14BBB5C8529FD77A9AF54308F40403FF509AB1E2EF7C4D85C799
                                                                                                                        Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                        • API String ID: 1462127192-2001430897
                                                                                                                        • Opcode ID: 7ae9b88ac44d9fae8c6f8244a54d471a9f83dcca97fe4f246c0da79332dd2308
                                                                                                                        • Instruction ID: 4d831fdf2c11e0d815db77489a542135a470e493f6e320739c61594aa9f7fbeb
                                                                                                                        • Opcode Fuzzy Hash: 7ae9b88ac44d9fae8c6f8244a54d471a9f83dcca97fe4f246c0da79332dd2308
                                                                                                                        • Instruction Fuzzy Hash: A4313D71940119AADB04FBA1DC96DED7739AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                                        Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                                          • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                                          • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                                          • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                                        • lstrcpynA.KERNEL32(00474B70,Remcos,00000080), ref: 0041D558
                                                                                                                        • Shell_NotifyIconA.SHELL32(00000000,00474B58), ref: 0041D56E
                                                                                                                        • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                                        • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                        • String ID: Remcos
                                                                                                                        • API String ID: 1970332568-165870891
                                                                                                                        • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                                                                        • Instruction ID: c2fc9e39e559a2afed00746d39c192473857db467f2681b349ddfe36236392a3
                                                                                                                        • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                                                                                                        • Instruction Fuzzy Hash: 11015EB1840348EBD7109FA1EC4CFABBBBCABC5705F00406AF505921A1D7B8E885CB6D
                                                                                                                        Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                                                                        • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                                        • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                                                                        • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                                        Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                                                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                                                                                        • __freea.LIBCMT ref: 00454083
                                                                                                                        • __freea.LIBCMT ref: 0045408F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 201697637-0
                                                                                                                        • Opcode ID: 1c79323f55dedcab474402cd530056180fcf6acbc2628831f9fcb1c62bebc053
                                                                                                                        • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                                        • Opcode Fuzzy Hash: 1c79323f55dedcab474402cd530056180fcf6acbc2628831f9fcb1c62bebc053
                                                                                                                        • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                                        Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1454806937-0
                                                                                                                        • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                        • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                        • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                        • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                        Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                        • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                                        • _free.LIBCMT ref: 00445515
                                                                                                                        • _free.LIBCMT ref: 0044552E
                                                                                                                        • _free.LIBCMT ref: 00445560
                                                                                                                        • _free.LIBCMT ref: 00445569
                                                                                                                        • _free.LIBCMT ref: 00445575
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                        • String ID: C
                                                                                                                        • API String ID: 1679612858-1037565863
                                                                                                                        • Opcode ID: dc70f5935c4cadc04478971efa28b20dbce750eb1dc69c9fe13c760ed60cdc29
                                                                                                                        • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                                        • Opcode Fuzzy Hash: dc70f5935c4cadc04478971efa28b20dbce750eb1dc69c9fe13c760ed60cdc29
                                                                                                                        • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                                        Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: tcp$udp
                                                                                                                        • API String ID: 0-3725065008
                                                                                                                        • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                        • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                                        • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                        • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                                        Function 00411530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Eventinet_ntoa
                                                                                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                                                        • API String ID: 3578746661-168337528
                                                                                                                        • Opcode ID: ad22daa9eb242d0d0359c877f25844bbc8ea6d2eab09ab2192ee404118bf9c00
                                                                                                                        • Instruction ID: cd9a01f22de2d9f6a9994d78948339ea64d6c0f71f497d0a384e35af32d82467
                                                                                                                        • Opcode Fuzzy Hash: ad22daa9eb242d0d0359c877f25844bbc8ea6d2eab09ab2192ee404118bf9c00
                                                                                                                        • Instruction Fuzzy Hash: 0E51C531A042015BC724FB36D95AAAE36A5AB80344F40453FF606576F2EF7C8985C7DE
                                                                                                                        Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EF0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                                                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                                                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474F08,00404C49,00000000,00000000,00000000,?,00474F08,?), ref: 00404BA5
                                                                                                                          • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                        • String ID: .part
                                                                                                                        • API String ID: 1303771098-3499674018
                                                                                                                        • Opcode ID: 2150a189df16d023aaea6f06597ff48a5e6b6566d5180279f80c020d780b3e8b
                                                                                                                        • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                                        • Opcode Fuzzy Hash: 2150a189df16d023aaea6f06597ff48a5e6b6566d5180279f80c020d780b3e8b
                                                                                                                        • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                                        Function 00401B8F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _strftime.LIBCMT ref: 00401BD4
                                                                                                                          • Part of subcall function 00401CE9: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                                                                                                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401C86
                                                                                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CC4
                                                                                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CD3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                        • String ID: %Y-%m-%d %H.%M$.wav$tMG
                                                                                                                        • API String ID: 3809562944-3627046146
                                                                                                                        • Opcode ID: f217577dce8cc6f6c7ee3c0eb123ea9d824183a499dfddb96fb1e5157d8eeec6
                                                                                                                        • Instruction ID: 77224d9c3c18060e3821781750c24aeed92f5db76bec914a8a88ddbccf287b9a
                                                                                                                        • Opcode Fuzzy Hash: f217577dce8cc6f6c7ee3c0eb123ea9d824183a499dfddb96fb1e5157d8eeec6
                                                                                                                        • Instruction Fuzzy Hash: 5F3181315043019FC325EB62DD46A9A77A8FB84319F40443EF149A31F2EFB89949CB9A
                                                                                                                        Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                                                                                                        • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Console$Window$AllocOutputShow
                                                                                                                        • String ID: Remcos v$5.2.0 Pro$CONOUT$
                                                                                                                        • API String ID: 4067487056-793934204
                                                                                                                        • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                                                                        • Instruction ID: a031bdd2f27af694b11ce09d1e3c688e218bb3586dee27dfc95755d0e541b829
                                                                                                                        • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                                                                                                        • Instruction Fuzzy Hash: 2D014471A80304BBD610F7F19D8BF9EB7AC9B18B05F500527BA04A70D2EB6DD944466E
                                                                                                                        Function 0040729B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        • C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, xrefs: 004076FF
                                                                                                                        • RG, xrefs: 004076DF
                                                                                                                        • xdF, xrefs: 004076E4
                                                                                                                        • 0SG, xrefs: 00407715
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0SG$C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe$xdF$RG
                                                                                                                        • API String ID: 0-3337342306
                                                                                                                        • Opcode ID: bfa82963eea25e7f3a1000047237d0892740d3b416b353ce1bd886ed4ccf4a83
                                                                                                                        • Instruction ID: 8e81a4762a03630119b5543cf4782e43f3d691fcab72f30749e56a9243805afb
                                                                                                                        • Opcode Fuzzy Hash: bfa82963eea25e7f3a1000047237d0892740d3b416b353ce1bd886ed4ccf4a83
                                                                                                                        • Instruction Fuzzy Hash: 08F0F6B0A14141ABCB1067355D286AA3756A784397F00487BF547FB2F2EBBD5C82861E
                                                                                                                        Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                                        • __freea.LIBCMT ref: 0044AEB0
                                                                                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                        • __freea.LIBCMT ref: 0044AEB9
                                                                                                                        • __freea.LIBCMT ref: 0044AEDE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3864826663-0
                                                                                                                        • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                                                                        • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                                        • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                                                                        • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                                        Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SendInput.USER32 ref: 00419A25
                                                                                                                        • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                                        • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                                          • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InputSend$Virtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1167301434-0
                                                                                                                        • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                        • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                                        • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                        • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                                        Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __freea$__alloca_probe_16_free
                                                                                                                        • String ID: a/p$am/pm$h{D
                                                                                                                        • API String ID: 2936374016-2303565833
                                                                                                                        • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                                                                        • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                                        • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                                                                        • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                                        Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                        • _free.LIBCMT ref: 00444E87
                                                                                                                        • _free.LIBCMT ref: 00444E9E
                                                                                                                        • _free.LIBCMT ref: 00444EBD
                                                                                                                        • _free.LIBCMT ref: 00444ED8
                                                                                                                        • _free.LIBCMT ref: 00444EEF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$AllocateHeap
                                                                                                                        • String ID: KED
                                                                                                                        • API String ID: 3033488037-2133951994
                                                                                                                        • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                                                                        • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                                        • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                                                                        • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                                        Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                                                                        • __fassign.LIBCMT ref: 0044B4F9
                                                                                                                        • __fassign.LIBCMT ref: 0044B514
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1324828854-0
                                                                                                                        • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                        • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                                        • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                        • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                                        Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                        • __fassign.LIBCMT ref: 1000954F
                                                                                                                        • __fassign.LIBCMT ref: 1000956A
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100095AF
                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 100095E8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1324828854-0
                                                                                                                        • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                        • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                        • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                        • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                        Function 0040186A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                                        • ExitThread.KERNEL32 ref: 004018F6
                                                                                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EF0,00000000), ref: 00401A04
                                                                                                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                        • String ID: `kG$hMG$kG
                                                                                                                        • API String ID: 1649129571-3851552405
                                                                                                                        • Opcode ID: 416df4ce0e3ed1841ee5b875f361b7b9f6b2ffd239473d06efad63e06e7684bf
                                                                                                                        • Instruction ID: dc699b77c08b599092ddf19de7d80486fcd8c0a7edd7622242773fc29a9484b7
                                                                                                                        • Opcode Fuzzy Hash: 416df4ce0e3ed1841ee5b875f361b7b9f6b2ffd239473d06efad63e06e7684bf
                                                                                                                        • Instruction Fuzzy Hash: 3441C2312042009BC324FB36DD96ABE73A6AB85354F00453FF54AA61F1DF38AD4AC61E
                                                                                                                        Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                        • String ID: csm
                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                        • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                        • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                        • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                        • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                        Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750F4), ref: 00413678
                                                                                                                          • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                          • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                        • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                        • String ID: .exe$HSG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                        • API String ID: 3286818993-930133217
                                                                                                                        • Opcode ID: b86b44ed08d52466cfc9a3801a6d71745e254f0deb3e8f8ed9e40c284f2e6556
                                                                                                                        • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                                        • Opcode Fuzzy Hash: b86b44ed08d52466cfc9a3801a6d71745e254f0deb3e8f8ed9e40c284f2e6556
                                                                                                                        • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                                        Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                          • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                          • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                                        • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                        • API String ID: 1133728706-4073444585
                                                                                                                        • Opcode ID: 8584a8e929dd88755208e5dc6c929038a2b3d03118b5dfc9d3733d7f14428daa
                                                                                                                        • Instruction ID: 7718d61ab729039ae94473664947c91a52367f601ff6055b29c84dcba8ed2574
                                                                                                                        • Opcode Fuzzy Hash: 8584a8e929dd88755208e5dc6c929038a2b3d03118b5dfc9d3733d7f14428daa
                                                                                                                        • Instruction Fuzzy Hash: E7215230A40219A6CB14F7F1CC969EE7729AF50744F80017FE502B71D1EB7D6945C6DA
                                                                                                                        Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                                                                        • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                                        • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                                                                        • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                                        Function 00401A6D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401A7D
                                                                                                                        • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,Function_00001B8F,00000000,00000000,00000024), ref: 00401B13
                                                                                                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401B67
                                                                                                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401B76
                                                                                                                        • waveInStart.WINMM ref: 00401B82
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                        • String ID: tMG
                                                                                                                        • API String ID: 1356121797-30866661
                                                                                                                        • Opcode ID: a32bf82f151408e5f3abe306aa4422ab47744250154bd8f7e0bff8bea5466356
                                                                                                                        • Instruction ID: cbef553d477d36f78321a165484ecc4410fcecc505b8f9aca62d01b994c6c3e6
                                                                                                                        • Opcode Fuzzy Hash: a32bf82f151408e5f3abe306aa4422ab47744250154bd8f7e0bff8bea5466356
                                                                                                                        • Instruction Fuzzy Hash: 8E2148716042019FC7299F6AEE09A697BAAFB84711B04403EE10DD76F1DBF848C5CB2C
                                                                                                                        Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                                        • _free.LIBCMT ref: 00450FC8
                                                                                                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                        • _free.LIBCMT ref: 00450FD3
                                                                                                                        • _free.LIBCMT ref: 00450FDE
                                                                                                                        • _free.LIBCMT ref: 00451032
                                                                                                                        • _free.LIBCMT ref: 0045103D
                                                                                                                        • _free.LIBCMT ref: 00451048
                                                                                                                        • _free.LIBCMT ref: 00451053
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                        • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                        • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                                        Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                        • _free.LIBCMT ref: 100092AB
                                                                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                        • _free.LIBCMT ref: 100092B6
                                                                                                                        • _free.LIBCMT ref: 100092C1
                                                                                                                        • _free.LIBCMT ref: 10009315
                                                                                                                        • _free.LIBCMT ref: 10009320
                                                                                                                        • _free.LIBCMT ref: 1000932B
                                                                                                                        • _free.LIBCMT ref: 10009336
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                        • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                        • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                        • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                        Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                                        • int.LIBCPMT ref: 004111BE
                                                                                                                          • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                          • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                        • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                        • String ID: 8mG
                                                                                                                        • API String ID: 2536120697-3990007011
                                                                                                                        • Opcode ID: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                                                                                                        • Instruction ID: 3a14b803bc510f5ed1108d30ac07207671fc4f07faef22c9ffd8c11cb1ae2def
                                                                                                                        • Opcode Fuzzy Hash: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                                                                                                        • Instruction Fuzzy Hash: D3112332900124A7CB14EBAAD8018DEBBA99F44364F11456FFE04B72E1DB789E41CBD8
                                                                                                                        Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                                        • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3852720340-0
                                                                                                                        • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                        • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                                        • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                        • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                                        Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe), ref: 0040760B
                                                                                                                          • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                                          • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                        • CoUninitialize.OLE32 ref: 00407664
                                                                                                                        Strings
                                                                                                                        • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                                                                                                        • [+] ShellExec success, xrefs: 00407649
                                                                                                                        • [+] before ShellExec, xrefs: 0040762C
                                                                                                                        • C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                        • String ID: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                        • API String ID: 3851391207-1840923708
                                                                                                                        • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                        • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                                        • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                        • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                                        Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                                        • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                                        Strings
                                                                                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                                        • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                                        • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                                        • UserProfile, xrefs: 0040BAE8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                        • API String ID: 2018770650-304995407
                                                                                                                        • Opcode ID: 2ad7dee9e06ba03f91c1086a73cfdb7f7db0bc088c83d68740cfc9fbf4b43286
                                                                                                                        • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                                        • Opcode Fuzzy Hash: 2ad7dee9e06ba03f91c1086a73cfdb7f7db0bc088c83d68740cfc9fbf4b43286
                                                                                                                        • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                                        Function 10005351 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 1000536F
                                                                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                        • _free.LIBCMT ref: 10005381
                                                                                                                        • _free.LIBCMT ref: 10005394
                                                                                                                        • _free.LIBCMT ref: 100053A5
                                                                                                                        • _free.LIBCMT ref: 100053B6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID: 8c_
                                                                                                                        • API String ID: 776569668-1614616891
                                                                                                                        • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                        • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                        • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                        • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                        Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __allrem.LIBCMT ref: 0043ACE9
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                                        • __allrem.LIBCMT ref: 0043AD1C
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                                        • __allrem.LIBCMT ref: 0043AD51
                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1992179935-0
                                                                                                                        • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                                        • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                                        • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                                        • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                                        Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                        • __freea.LIBCMT ref: 10008A08
                                                                                                                          • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                        • __freea.LIBCMT ref: 10008A11
                                                                                                                        • __freea.LIBCMT ref: 10008A36
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1414292761-0
                                                                                                                        • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                        • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                        • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                        • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                        Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                                                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: H_prologSleep
                                                                                                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                                                                                                        • API String ID: 3469354165-985523790
                                                                                                                        • Opcode ID: 6fe6ba8d8ab5d7fe35839562eb2bcb635a2e9b646f20f6d6bf6fe9b75fcd553f
                                                                                                                        • Instruction ID: 7593a199e81997f2aad1dc538160579efde4e563a54277089fa649d8e7e3dbe8
                                                                                                                        • Opcode Fuzzy Hash: 6fe6ba8d8ab5d7fe35839562eb2bcb635a2e9b646f20f6d6bf6fe9b75fcd553f
                                                                                                                        • Instruction Fuzzy Hash: 2A51E0B1A042106BCA14FB369D0A66E3655ABC4748F00443FFA09676E2DF7D8E46839E
                                                                                                                        Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __cftoe
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4189289331-0
                                                                                                                        • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                                                                        • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                                        • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                                                                        • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                                        Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _strlen.LIBCMT ref: 10001607
                                                                                                                        • _strcat.LIBCMT ref: 1000161D
                                                                                                                        • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                        • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1922816806-0
                                                                                                                        • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                        • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                        • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                        • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                        Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                        • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3594823470-0
                                                                                                                        • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                        • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                        • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                        • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                        Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 493672254-0
                                                                                                                        • Opcode ID: 305a945f5ae16c96e2f06c84d41aa4012af85c485f9c974a0b1ca90fe9e389de
                                                                                                                        • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                                        • Opcode Fuzzy Hash: 305a945f5ae16c96e2f06c84d41aa4012af85c485f9c974a0b1ca90fe9e389de
                                                                                                                        • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                                        Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                        • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3852720340-0
                                                                                                                        • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                        • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                        • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                        • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                        Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                                                        • _free.LIBCMT ref: 004482CC
                                                                                                                        • _free.LIBCMT ref: 004482F4
                                                                                                                        • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                                                        • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                                                        • _abort.LIBCMT ref: 00448313
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3160817290-0
                                                                                                                        • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                        • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                                        • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                        • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                                        Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                        • _free.LIBCMT ref: 10005B2D
                                                                                                                        • _free.LIBCMT ref: 10005B55
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                        • _abort.LIBCMT ref: 10005B74
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3160817290-0
                                                                                                                        • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                        • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                        • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                        • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                        Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 221034970-0
                                                                                                                        • Opcode ID: 8eb54fa1672786e09d2219133f0626536d5b5b39631990794a881cefe09f2d9d
                                                                                                                        • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                                        • Opcode Fuzzy Hash: 8eb54fa1672786e09d2219133f0626536d5b5b39631990794a881cefe09f2d9d
                                                                                                                        • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                                        Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 221034970-0
                                                                                                                        • Opcode ID: 7d40cec447ae271724922458aab5fd3d84dbec4ea928b02c1f03fd5bbfed4507
                                                                                                                        • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                                        • Opcode Fuzzy Hash: 7d40cec447ae271724922458aab5fd3d84dbec4ea928b02c1f03fd5bbfed4507
                                                                                                                        • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                                        Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 221034970-0
                                                                                                                        • Opcode ID: a0f35f664dbda9af56b5a5da66da559fb3e9fc57b8559f966e995c2fd7636ff5
                                                                                                                        • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                                        • Opcode Fuzzy Hash: a0f35f664dbda9af56b5a5da66da559fb3e9fc57b8559f966e995c2fd7636ff5
                                                                                                                        • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                                        Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID: @^E
                                                                                                                        • API String ID: 269201875-2908066071
                                                                                                                        • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                        • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                                        • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                        • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                                        Function 00413D48 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                                                                          • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                          • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                                                        • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                        • String ID: (aF$,aF$xdF
                                                                                                                        • API String ID: 3114080316-1322504040
                                                                                                                        • Opcode ID: 2814f23ff7f4cd032515bd0a3ddfc1b764ebd934d5cd4c5e8cb482b4bc473408
                                                                                                                        • Instruction ID: 9135d8dbad86ad48596e871537d7b2906c3d36c2a7f97e2d86650b4d09e6d137
                                                                                                                        • Opcode Fuzzy Hash: 2814f23ff7f4cd032515bd0a3ddfc1b764ebd934d5cd4c5e8cb482b4bc473408
                                                                                                                        • Instruction Fuzzy Hash: E341A0316082406AC324FB26D852AEF72A59FD1348F80883FF54A671D6EF7C5D49866E
                                                                                                                        Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                          • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                          • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                          • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                          • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                        • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                          • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                          • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                        • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                        • API String ID: 4036392271-1520055953
                                                                                                                        • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                        • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                        • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                        • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                        Function 0040B783 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer__onexit
                                                                                                                        • String ID: [End of clipboard]$[Text copied to clipboard]$ mG$xdF
                                                                                                                        • API String ID: 1881088180-3895790603
                                                                                                                        • Opcode ID: 1e9d3e750ddbe1ccdb9acf5c7601443bc27d6b4fc9fa2cb0e9a3882c1643f944
                                                                                                                        • Instruction ID: 5c7e69c9d376070a9f10adc198010d279a990252db190bacd7f595afc81a80c0
                                                                                                                        • Opcode Fuzzy Hash: 1e9d3e750ddbe1ccdb9acf5c7601443bc27d6b4fc9fa2cb0e9a3882c1643f944
                                                                                                                        • Instruction Fuzzy Hash: B5216D31A102198ACB14FBA6D8929EDB375AF54318F10403FE506771E2EF7C6D4ACA8C
                                                                                                                        Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                        • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                        • String ID: hQG
                                                                                                                        • API String ID: 1958988193-4070439852
                                                                                                                        • Opcode ID: bdea57dd96df53d9e829f51e58303117b441e911e19fc522471032f737d6d9df
                                                                                                                        • Instruction ID: fcd55a72cf9b38ed92eee25b8fc798016c5179a181dae4a4499eb8880f316315
                                                                                                                        • Opcode Fuzzy Hash: bdea57dd96df53d9e829f51e58303117b441e911e19fc522471032f737d6d9df
                                                                                                                        • Instruction Fuzzy Hash: 3E113130600740AADA30A7249889A1F37BAD741356F44483EE182676D3C67DDC64C71F
                                                                                                                        Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                                        • GetLastError.KERNEL32 ref: 0041D611
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                        • String ID: 0$MsgWindowClass
                                                                                                                        • API String ID: 2877667751-2410386613
                                                                                                                        • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                        • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                                        • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                        • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                                        Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                                        Strings
                                                                                                                        • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandle$CreateProcess
                                                                                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                        • API String ID: 2922976086-4183131282
                                                                                                                        • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                        • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                                        • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                        • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                                        Function 0041384F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,RG), ref: 0041385A
                                                                                                                        • RegSetValueExW.ADVAPI32(RG,?,00000000,00000001,00000000,00000000,00475300,?,0040F85E,pth_unenc,004752E8), ref: 00413888
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,0040F85E,pth_unenc,004752E8), ref: 00413893
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseCreateValue
                                                                                                                        • String ID: pth_unenc$RG
                                                                                                                        • API String ID: 1818849710-3487042679
                                                                                                                        • Opcode ID: cbeea3386a39013b062d5e7225ad240eff34055e22739d6872e46d18ef669f40
                                                                                                                        • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                                        • Opcode Fuzzy Hash: cbeea3386a39013b062d5e7225ad240eff34055e22739d6872e46d18ef669f40
                                                                                                                        • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                                        Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                        • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                                        • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                        • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                                        Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                        • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                        • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                        • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                        • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                        Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                        • String ID: KeepAlive | Disabled
                                                                                                                        • API String ID: 2993684571-305739064
                                                                                                                        • Opcode ID: a1239bbaa258f2a34943f968a1ba77755cc365037cc61d007e051ef3d6ef4e82
                                                                                                                        • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                                        • Opcode Fuzzy Hash: a1239bbaa258f2a34943f968a1ba77755cc365037cc61d007e051ef3d6ef4e82
                                                                                                                        • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                                        Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                                        • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                        • String ID: Alarm triggered
                                                                                                                        • API String ID: 614609389-2816303416
                                                                                                                        • Opcode ID: 3a0a6838436f72e464f3f9b922c545e7727b8fea0b38228e9900d288e1fe9cfd
                                                                                                                        • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                                        • Opcode Fuzzy Hash: 3a0a6838436f72e464f3f9b922c545e7727b8fea0b38228e9900d288e1fe9cfd
                                                                                                                        • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                                        Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                                                                        Strings
                                                                                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                        • API String ID: 3024135584-2418719853
                                                                                                                        • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                        • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                                        • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                        • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                                        Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                        • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                                        • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                                                        • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                                        Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                                          • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475348), ref: 0041C08B
                                                                                                                          • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475348), ref: 0041C096
                                                                                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2180151492-0
                                                                                                                        • Opcode ID: 44499a65df277ea81acc7cee3ae622ea02de6a98a283c98d14b5c9bc8d2c310f
                                                                                                                        • Instruction ID: 39de0d33b69ea9088fa68d935cf3ef43cf04ff0480c7130c1a021fac56d243da
                                                                                                                        • Opcode Fuzzy Hash: 44499a65df277ea81acc7cee3ae622ea02de6a98a283c98d14b5c9bc8d2c310f
                                                                                                                        • Instruction Fuzzy Hash: 8D4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                                        Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 269201875-0
                                                                                                                        • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                        • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                                        • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                        • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                                        Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                                                        • __freea.LIBCMT ref: 0045129D
                                                                                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 313313983-0
                                                                                                                        • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                                                                        • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                                        • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                                                                        • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                                        Function 00412716 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                                                                                                          • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                                                          • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseOpenQuerySleepValue
                                                                                                                        • String ID: HSG$exepath$xdF$RG
                                                                                                                        • API String ID: 4119054056-3038920021
                                                                                                                        • Opcode ID: c4910f7145f7cabad12a11c825a9982b7c40ce0abb7968876c3fce6d3367946f
                                                                                                                        • Instruction ID: 7f535f989f64e3217726da85717e45219a172cbdcd35e6ae3f2d68e0f7be43ad
                                                                                                                        • Opcode Fuzzy Hash: c4910f7145f7cabad12a11c825a9982b7c40ce0abb7968876c3fce6d3367946f
                                                                                                                        • Instruction Fuzzy Hash: 1F21D8A1B043042BD604B7365D4AAAF724D8B80358F40897FBA56E73D3EEBD9C45826D
                                                                                                                        Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                                        • _free.LIBCMT ref: 0044F43F
                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 336800556-0
                                                                                                                        • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                                                        • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                                        • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                                                        • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                                        Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                          • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                        • _free.LIBCMT ref: 100071B8
                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 336800556-0
                                                                                                                        • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                        • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                        • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                        • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                        Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                                                        • _free.LIBCMT ref: 00448353
                                                                                                                        • _free.LIBCMT ref: 0044837A
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3170660625-0
                                                                                                                        • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                        • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                                        • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                        • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                                        Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                        • _free.LIBCMT ref: 10005BB4
                                                                                                                        • _free.LIBCMT ref: 10005BDB
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$_free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3170660625-0
                                                                                                                        • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                        • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                        • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                        • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                        Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2951400881-0
                                                                                                                        • Opcode ID: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                                                                                                        • Instruction ID: eb9e11a2b0883253d54455b1eb0df9c10e535dd1e95c930e162dea6fb874dde8
                                                                                                                        • Opcode Fuzzy Hash: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                                                                                                        • Instruction Fuzzy Hash: 2F01F231680215ABD71066949C8AFA7B66C8B84756F0001ABFA08D2292EE74CD81466A
                                                                                                                        Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                        • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                        • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                        • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                        • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: lstrlen$lstrcat
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 493641738-0
                                                                                                                        • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                        • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                        • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                        • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                        Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00450A54
                                                                                                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                        • _free.LIBCMT ref: 00450A66
                                                                                                                        • _free.LIBCMT ref: 00450A78
                                                                                                                        • _free.LIBCMT ref: 00450A8A
                                                                                                                        • _free.LIBCMT ref: 00450A9C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                        • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                        • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                                        Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 100091D0
                                                                                                                          • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                          • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                        • _free.LIBCMT ref: 100091E2
                                                                                                                        • _free.LIBCMT ref: 100091F4
                                                                                                                        • _free.LIBCMT ref: 10009206
                                                                                                                        • _free.LIBCMT ref: 10009218
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                        • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                        • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                        • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                        Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _free.LIBCMT ref: 00444106
                                                                                                                          • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                        • _free.LIBCMT ref: 00444118
                                                                                                                        • _free.LIBCMT ref: 0044412B
                                                                                                                        • _free.LIBCMT ref: 0044413C
                                                                                                                        • _free.LIBCMT ref: 0044414D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 776569668-0
                                                                                                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                        • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                        • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                                        Function 00417627 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0041763E
                                                                                                                        • GetWindowTextW.USER32(?,?,0000012C), ref: 00417670
                                                                                                                        • IsWindowVisible.USER32(?), ref: 00417677
                                                                                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                                        • String ID: (VG
                                                                                                                        • API String ID: 3142014140-3443974315
                                                                                                                        • Opcode ID: 03ec91c272319b82483b2025ec8c7941203cead915101a711102ef9fde642a14
                                                                                                                        • Instruction ID: 57afc706987f0d359dfa573bc041c79e98ae29994c94316b8148008c339bd05b
                                                                                                                        • Opcode Fuzzy Hash: 03ec91c272319b82483b2025ec8c7941203cead915101a711102ef9fde642a14
                                                                                                                        • Instruction Fuzzy Hash: 6E7109311082419AC365FB22D8959EFB3E5BFD4308F50493FF18A560E5EF746A49CB8A
                                                                                                                        Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Enum$InfoQueryValue
                                                                                                                        • String ID: [regsplt]
                                                                                                                        • API String ID: 3554306468-4262303796
                                                                                                                        • Opcode ID: 048ab2dd9f71d5d516bd20a1639258bde8a4d6b33d369492628411f657c75bcf
                                                                                                                        • Instruction ID: fa843d34e07254c46a29a5d4d7bbb73928c81f50e0ccc4a220fcc0531dc04ae2
                                                                                                                        • Opcode Fuzzy Hash: 048ab2dd9f71d5d516bd20a1639258bde8a4d6b33d369492628411f657c75bcf
                                                                                                                        • Instruction Fuzzy Hash: DF512C72900219AADB11EB95DC86EEEB77DAF04304F1000BAE505F6191EF746B48CBA9
                                                                                                                        Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe,00000104), ref: 00443515
                                                                                                                        • _free.LIBCMT ref: 004435E0
                                                                                                                        • _free.LIBCMT ref: 004435EA
                                                                                                                        Strings
                                                                                                                        • C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, xrefs: 0044350C, 00443513, 00443542, 0044357A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                        • String ID: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                        • API String ID: 2506810119-1588389706
                                                                                                                        • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                        • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                                        • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                        • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                                        Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe,00000104), ref: 10004C1D
                                                                                                                        • _free.LIBCMT ref: 10004CE8
                                                                                                                        • _free.LIBCMT ref: 10004CF2
                                                                                                                        Strings
                                                                                                                        • C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                        • String ID: C:\Users\user\Desktop\1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exe
                                                                                                                        • API String ID: 2506810119-1588389706
                                                                                                                        • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                        • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                        • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                        • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                        Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                                                                                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                                                        • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                        • String ID: /sort "Visit Time" /stext "$@NG
                                                                                                                        • API String ID: 368326130-3944316004
                                                                                                                        • Opcode ID: 1d2801b3f0b6de04bb86c09bf5e7ab4dfc4bc421ad6bea4a440c58ed195a8529
                                                                                                                        • Instruction ID: 88307c0d9f74f86904655d2c31cb74d6ebeba16a9e6c7dae8368527950f1c452
                                                                                                                        • Opcode Fuzzy Hash: 1d2801b3f0b6de04bb86c09bf5e7ab4dfc4bc421ad6bea4a440c58ed195a8529
                                                                                                                        • Instruction Fuzzy Hash: EB316171A001195ACB15FBA6DC969ED7375AF90308F00007FF60AB71E2EF785E49CA99
                                                                                                                        Function 10006C5F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                          • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                                                                                          • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                          • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                                                                                          • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                                                                                                          • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                                                                                                          • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                        • _free.LIBCMT ref: 10006CD7
                                                                                                                        • _free.LIBCMT ref: 10006D0D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$ErrorLast_abort
                                                                                                                        • String ID: 8c_$8c_
                                                                                                                        • API String ID: 2991157371-2196761061
                                                                                                                        • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                        • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                                                                                                        • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                        • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                                                                                                        Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                                                                        Strings
                                                                                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                                        • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExistsFilePath
                                                                                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                        • API String ID: 1174141254-1980882731
                                                                                                                        • Opcode ID: 97a5ada962bae72897b7f94b11cd40aa52c1d6f994a23f407ee9340b66b1d139
                                                                                                                        • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                                        • Opcode Fuzzy Hash: 97a5ada962bae72897b7f94b11cd40aa52c1d6f994a23f407ee9340b66b1d139
                                                                                                                        • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                                        Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                                                                        Strings
                                                                                                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                                        • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExistsFilePath
                                                                                                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                        • API String ID: 1174141254-1980882731
                                                                                                                        • Opcode ID: e30cb4288211014db5c272c31aa753e5001111b8c3c97bf560fde133b4847c17
                                                                                                                        • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                                        • Opcode Fuzzy Hash: e30cb4288211014db5c272c31aa753e5001111b8c3c97bf560fde133b4847c17
                                                                                                                        • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                                        Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                        • wsprintfW.USER32 ref: 0040B22E
                                                                                                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: EventLocalTimewsprintf
                                                                                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                                        • API String ID: 1497725170-1359877963
                                                                                                                        • Opcode ID: be5060f3741f8dc9abc46959217150eab49aad82d2edb6830b3f1d7a79f04d8f
                                                                                                                        • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                                        • Opcode Fuzzy Hash: be5060f3741f8dc9abc46959217150eab49aad82d2edb6830b3f1d7a79f04d8f
                                                                                                                        • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                                        Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                        • String ID: Online Keylogger Started
                                                                                                                        • API String ID: 112202259-1258561607
                                                                                                                        • Opcode ID: c91061ba0d9485e0ddb21df9b01113bd9a157074f4fde7529ca694b7ff066f71
                                                                                                                        • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                                        • Opcode Fuzzy Hash: c91061ba0d9485e0ddb21df9b01113bd9a157074f4fde7529ca694b7ff066f71
                                                                                                                        • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                                        Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                        • String ID: CryptUnprotectData$crypt32
                                                                                                                        • API String ID: 2574300362-2380590389
                                                                                                                        • Opcode ID: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                                                                        • Instruction ID: 345ee013d26fc91f442c93551971226c597518e80cf45168a44a65f4e30a47e9
                                                                                                                        • Opcode Fuzzy Hash: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                                                                                                        • Instruction Fuzzy Hash: 1D01F575A00215BBCB18CFAC8C409AF7BB8EB85300F0041BEE94AE3381DA34AD00CB94
                                                                                                                        Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                                        • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseEventHandleObjectSingleWait
                                                                                                                        • String ID: Connection Timeout
                                                                                                                        • API String ID: 2055531096-499159329
                                                                                                                        • Opcode ID: aea94675e7c534c52cb53f54c205b860b10a02e3c4213e765d5fd14c325240d7
                                                                                                                        • Instruction ID: 0252d74fe4ede7253ae2eff4a1d35319ac7a80acec65437dc80477e116da68d3
                                                                                                                        • Opcode Fuzzy Hash: aea94675e7c534c52cb53f54c205b860b10a02e3c4213e765d5fd14c325240d7
                                                                                                                        • Instruction Fuzzy Hash: 4A01F530A40F00AFD7216F368D8642BBFE0EB00306704093FE68356AE2D6789800CF89
                                                                                                                        Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Exception@8Throw
                                                                                                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                        • API String ID: 2005118841-1866435925
                                                                                                                        • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                        • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                                        • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                                                        • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                                        Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                                          • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                                          • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                        • String ID: bad locale name
                                                                                                                        • API String ID: 3628047217-1405518554
                                                                                                                        • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                        • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                                        • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                                                        • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                                        Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                                        • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                                        • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                                          • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                                                                                                          • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                                                          • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                          • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                                                        • String ID: !D@
                                                                                                                        • API String ID: 186401046-604454484
                                                                                                                        • Opcode ID: c28b7efb6e9b123e9bbf35ecfc69271c77d7c0d816cf9c8e66969055ba9ab20b
                                                                                                                        • Instruction ID: b1493b377ee00385912555b1a5c9642ee05cd41efde33f67b603c236d656be44
                                                                                                                        • Opcode Fuzzy Hash: c28b7efb6e9b123e9bbf35ecfc69271c77d7c0d816cf9c8e66969055ba9ab20b
                                                                                                                        • Instruction Fuzzy Hash: 81F03A70148340AAD720AF65ED55BBABB69EB54301F01487BFA09C20F2DB389C94869E
                                                                                                                        Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExecuteShell
                                                                                                                        • String ID: /C $cmd.exe$open
                                                                                                                        • API String ID: 587946157-3896048727
                                                                                                                        • Opcode ID: f44f3a75cb8e05523d561960cc0be4386eb784bc6dcc6058ee8d5990d9ea8ce9
                                                                                                                        • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                                        • Opcode Fuzzy Hash: f44f3a75cb8e05523d561960cc0be4386eb784bc6dcc6058ee8d5990d9ea8ce9
                                                                                                                        • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                                        Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteDirectoryFileRemove
                                                                                                                        • String ID: pth_unenc$xdF
                                                                                                                        • API String ID: 3325800564-2448381268
                                                                                                                        • Opcode ID: ad03ad6105e2805cf24512cd36e8b9a34d70bf8a7d384e6b6b2237e166b151ae
                                                                                                                        • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                                                        • Opcode Fuzzy Hash: ad03ad6105e2805cf24512cd36e8b9a34d70bf8a7d384e6b6b2237e166b151ae
                                                                                                                        • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                                                        Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,004752E8,00475300,?,pth_unenc), ref: 0040B8F6
                                                                                                                        • UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                                                                                                        • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: TerminateThread$HookUnhookWindows
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 3123878439-4028850238
                                                                                                                        • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                        • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                                                        • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                                                        • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                                                        Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: __alldvrm$_strrchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1036877536-0
                                                                                                                        • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                        • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                                        • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                                                        • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                                        Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                        • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                                        • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                        • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                                        Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                        • __freea.LIBCMT ref: 100087D5
                                                                                                                          • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2652629310-0
                                                                                                                        • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                        • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                        • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                        • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                        Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                                        • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Sleep
                                                                                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                        • API String ID: 3472027048-1236744412
                                                                                                                        • Opcode ID: 0eb67f22db26bfbf69fd8d2aa32761b673633ffd036242d8c1b92dd0b17869b7
                                                                                                                        • Instruction ID: a79ddf3c6a5b8d59d799e992b07df0540e48cd861b142758bc1ef4dabba95ae9
                                                                                                                        • Opcode Fuzzy Hash: 0eb67f22db26bfbf69fd8d2aa32761b673633ffd036242d8c1b92dd0b17869b7
                                                                                                                        • Instruction Fuzzy Hash: F631A904648381EDD6116BF514967AB7B824E53744F0886BFB8C8273C3DABA4808C75F
                                                                                                                        Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                                                                          • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                                          • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$SleepText$ForegroundLength
                                                                                                                        • String ID: [ $ ]
                                                                                                                        • API String ID: 3309952895-93608704
                                                                                                                        • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                        • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                                        • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                                                                                                        • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                                        Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 188215759-0
                                                                                                                        • Opcode ID: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                                                                                                        • Instruction ID: 34fec0fc5de9b46989c99fc374850f6e4511d06c61be9fc580282ef5e3b3a0c9
                                                                                                                        • Opcode Fuzzy Hash: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                                                                                                        • Instruction Fuzzy Hash: 4A1142B35043446BC304FBB5CD85DEF77ACEBC4359F040A3EF64A82061EE29EA498695
                                                                                                                        Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                        • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                                        • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                        • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                                        Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                        • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                                        • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                        • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                                        Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                                        • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3177248105-0
                                                                                                                        • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                        • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                                        • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                        • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                                        Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                        • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3177248105-0
                                                                                                                        • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                        • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                        • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                        • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                        Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                                          • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                                        • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2633735394-0
                                                                                                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                        • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                        • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                                        Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                                                                        • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                                                                        • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                                                                        • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: MetricsSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4116985748-0
                                                                                                                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                        • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                        • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                                        Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                                          • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1761009282-0
                                                                                                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                        • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                        • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                                        Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorHandling__start
                                                                                                                        • String ID: pow
                                                                                                                        • API String ID: 3213639722-2276729525
                                                                                                                        • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                        • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                                        • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                        • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                                        Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                                                                                                          • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                                                                          • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                          • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                        • String ID: image/jpeg
                                                                                                                        • API String ID: 1291196975-3785015651
                                                                                                                        • Opcode ID: f7762c1077cd22b9d0966c79a8c7972fb49086d0d121f5f9ad0777a9e048a50c
                                                                                                                        • Instruction ID: b1b0a2c635f45e8130f4767810c6fbb161559e0826da6e7acb487c9aae22ef17
                                                                                                                        • Opcode Fuzzy Hash: f7762c1077cd22b9d0966c79a8c7972fb49086d0d121f5f9ad0777a9e048a50c
                                                                                                                        • Instruction Fuzzy Hash: 6D316F72504310AFC701EF65C884D6FB7E9EF8A304F00496EF98597251DB7999048B66
                                                                                                                        Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ACP$OCP
                                                                                                                        • API String ID: 0-711371036
                                                                                                                        • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                        • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                                        • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                        • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                                        Function 0041631F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcslen.LIBCMT ref: 00416330
                                                                                                                          • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                          • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                          • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                          • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcslen$CloseCreateValue
                                                                                                                        • String ID: !D@$okmode
                                                                                                                        • API String ID: 3411444782-1942679189
                                                                                                                        • Opcode ID: 7f83a2f3948da31f3d9d5c8ccd2298a435b5cafecaaee845831b0ac8760f9a24
                                                                                                                        • Instruction ID: 3691d04bdc76b081f03c0e50e7d604d291fd2bc6213442c77ae478975c73e837
                                                                                                                        • Opcode Fuzzy Hash: 7f83a2f3948da31f3d9d5c8ccd2298a435b5cafecaaee845831b0ac8760f9a24
                                                                                                                        • Instruction Fuzzy Hash: E211A871B042011BDA187B72D822BBD2296DB84349F80483FF50AAF2E2DFBD4C51535D
                                                                                                                        Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                                                                                                          • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                                                                                                          • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                                                          • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                                                        • String ID: image/png
                                                                                                                        • API String ID: 1291196975-2966254431
                                                                                                                        • Opcode ID: 5ab440bc048de2cb56d31f74581c152c1f03e682227d906222c769bb8292334a
                                                                                                                        • Instruction ID: f628a6b37c0337dbee8ef7f798de7cbb8cc54a1da061f00231e4b0513ad08027
                                                                                                                        • Opcode Fuzzy Hash: 5ab440bc048de2cb56d31f74581c152c1f03e682227d906222c769bb8292334a
                                                                                                                        • Instruction Fuzzy Hash: 4221C375204211AFC700AB61CC89DBFBBACEFCA314F10452EF54693251DB389945CBA6
                                                                                                                        Function 00449C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00449CBC
                                                                                                                        • GetFileType.KERNEL32(00000000), ref: 00449CCE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: FileHandleType
                                                                                                                        • String ID: =Z
                                                                                                                        • API String ID: 3000768030-90662088
                                                                                                                        • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                                                                                        • Instruction ID: 0971e15b3ed75ae4f19990cc7af9cd82d4526e04a272429d5fd5d939a02a2197
                                                                                                                        • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                                                                                                        • Instruction Fuzzy Hash: EF11907250475246E7308F3E9CC8223BAD5AB52331B38072BD5B7966F1C328DC82F249
                                                                                                                        Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                                        Strings
                                                                                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                        • API String ID: 481472006-1507639952
                                                                                                                        • Opcode ID: 0d195c905edc8bf9da78c09ea68e9f9cc5387911226b1935f498819e0632d395
                                                                                                                        • Instruction ID: b700b38ef9f928670de2390b904a97a1cb71e472754ad5b4355c5e73bb52b66b
                                                                                                                        • Opcode Fuzzy Hash: 0d195c905edc8bf9da78c09ea68e9f9cc5387911226b1935f498819e0632d395
                                                                                                                        • Instruction Fuzzy Hash: E62104719007806BD710B732A80A76F7B64E755308F44057EE8491B2A2EB7D5988CBDE
                                                                                                                        Function 0043C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID: =Z
                                                                                                                        • API String ID: 269201875-90662088
                                                                                                                        • Opcode ID: a20b441ddeb67c9ee691f7cf4a146dca50fcbe4cc28fbe4176985be8152cb82c
                                                                                                                        • Instruction ID: 50f29c45267cc5de65db45c76c11a9fc4df43ae0f191c64cb21c29ff245d41fa
                                                                                                                        • Opcode Fuzzy Hash: a20b441ddeb67c9ee691f7cf4a146dca50fcbe4cc28fbe4176985be8152cb82c
                                                                                                                        • Instruction Fuzzy Hash: 9011D371A002004AEF309F39AC81B563294A714734F15172BF929EA3D6D3BCD8825F89
                                                                                                                        Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32 ref: 0041667B
                                                                                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DownloadFileSleep
                                                                                                                        • String ID: !D@
                                                                                                                        • API String ID: 1931167962-604454484
                                                                                                                        • Opcode ID: a99e4f790afde7138dbb77877bc04f7b73d36f31349e7c55a80da1105f6356ad
                                                                                                                        • Instruction ID: 943aba663a6785b3e55a0e29e9dd0f60b42d3502aaa7a5a348319576c1e2766f
                                                                                                                        • Opcode Fuzzy Hash: a99e4f790afde7138dbb77877bc04f7b73d36f31349e7c55a80da1105f6356ad
                                                                                                                        • Instruction Fuzzy Hash: 9D1142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                                        Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _strlen
                                                                                                                        • String ID: : $Se.
                                                                                                                        • API String ID: 4218353326-4089948878
                                                                                                                        • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                        • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                        • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                        • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                        Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime
                                                                                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                                                                                        • API String ID: 481472006-2430845779
                                                                                                                        • Opcode ID: 6daf1b74f0be0212c99ecf189ff816e92d6af2c6c3a508f563bd5cefd2cc2aaa
                                                                                                                        • Instruction ID: dc1ef91952a31d7701eba46fb19b130c3a81cf04c31882e55cbcd77cf5b9c3d8
                                                                                                                        • Opcode Fuzzy Hash: 6daf1b74f0be0212c99ecf189ff816e92d6af2c6c3a508f563bd5cefd2cc2aaa
                                                                                                                        • Instruction Fuzzy Hash: 72118E714082455AC304EB62D8519BFB3E9AB44308F50093FF88AA21E1EF3CDA45C69E
                                                                                                                        Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExistsFilePath
                                                                                                                        • String ID: alarm.wav$xYG
                                                                                                                        • API String ID: 1174141254-3120134784
                                                                                                                        • Opcode ID: 8fdefe343bf9ffeb28a7c3ee4e6c0106d9ed35135e1c1bd3a9daa0f626893b3c
                                                                                                                        • Instruction ID: fba4c3df788ebc26406fa6248c5b94d62a9d66ba9cb3dc57f05af0bb44f50ff0
                                                                                                                        • Opcode Fuzzy Hash: 8fdefe343bf9ffeb28a7c3ee4e6c0106d9ed35135e1c1bd3a9daa0f626893b3c
                                                                                                                        • Instruction Fuzzy Hash: 78019E7068831166CA04F77688166EE37559B80318F00847FF64A566E2EFBC9A9586CF
                                                                                                                        Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                                                                                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                                        • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                        • String ID: Online Keylogger Stopped
                                                                                                                        • API String ID: 1623830855-1496645233
                                                                                                                        • Opcode ID: 58cc93244fb66fa75d78bbbdee9751da8f9d2577a529c344d0767a98dc8fba67
                                                                                                                        • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                                        • Opcode Fuzzy Hash: 58cc93244fb66fa75d78bbbdee9751da8f9d2577a529c344d0767a98dc8fba67
                                                                                                                        • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                                        Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                          • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                        • String ID: Unknown exception
                                                                                                                        • API String ID: 3476068407-410509341
                                                                                                                        • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                        • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                        • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                        • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                                                                                        Function 00449ADC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                        • DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                                                                                                        • _free.LIBCMT ref: 00449B4C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: CriticalSection$DeleteEnter_free
                                                                                                                        • String ID: =Z
                                                                                                                        • API String ID: 1836352639-90662088
                                                                                                                        • Opcode ID: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                                                                                                        • Instruction ID: 49f98359192604db3700e7d46e2ee0879056decf89b11c46129577f8840becb7
                                                                                                                        • Opcode Fuzzy Hash: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                                                                                                        • Instruction Fuzzy Hash: C3115E31500214DFEB20DFA8E846B5D73B0FB04724F10455AE8599B2E6CBBCEC429B0D
                                                                                                                        Function 10006D7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                          • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                                                                                          • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                          • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                                                                                        • _abort.LIBCMT ref: 10006DB0
                                                                                                                        • _free.LIBCMT ref: 10006DE4
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4120386266.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4120373481.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4120386266.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_10000000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast_abort_free
                                                                                                                        • String ID: 8c_
                                                                                                                        • API String ID: 289325740-1614616891
                                                                                                                        • Opcode ID: 4134211a845f049e2d4acd9fd6b474a5821acff52e97e1c06e3fd46459b96409
                                                                                                                        • Instruction ID: 7f3fd5b75712fc04265cec68ea5e7784da53d851e8b66a8ea6aaee171cc4b2ef
                                                                                                                        • Opcode Fuzzy Hash: 4134211a845f049e2d4acd9fd6b474a5821acff52e97e1c06e3fd46459b96409
                                                                                                                        • Instruction Fuzzy Hash: 8B018439E01A32DBE751DF688C4115DB3A2FF08BE1B25821AE85067249CB35BD528FC5
                                                                                                                        Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • waveInPrepareHeader.WINMM(0059E1B8,00000020,?,?,00476B60,00474EF0,?,00000000,00401A15), ref: 00401849
                                                                                                                        • waveInAddBuffer.WINMM(0059E1B8,00000020,?,00000000,00401A15), ref: 0040185F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: wave$BufferHeaderPrepare
                                                                                                                        • String ID: hMG
                                                                                                                        • API String ID: 2315374483-350922481
                                                                                                                        • Opcode ID: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                                                                                                        • Instruction ID: 961ac9ec07701b1a047984959549e732b5ed52ade8bfae490fcb5a94ac50a39c
                                                                                                                        • Opcode Fuzzy Hash: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                                                                                                        • Instruction Fuzzy Hash: 46016D71701301AFC7609F75EC449697BA9FF89355701413AF409C77A2EB759C50CB98
                                                                                                                        Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID: $G
                                                                                                                        • API String ID: 269201875-4251033865
                                                                                                                        • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                                                                                                        • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                                                                                                        • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                                                                                                        • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                                                                                                        Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: LocaleValid
                                                                                                                        • String ID: IsValidLocaleName$kKD
                                                                                                                        • API String ID: 1901932003-3269126172
                                                                                                                        • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                                                                        • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                                        • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                                                                        • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                                        Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExistsFilePath
                                                                                                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                        • API String ID: 1174141254-4188645398
                                                                                                                        • Opcode ID: 4859c672d659d0a1f097c4b87d24339a57335e4ea3a93cd47a728b5256189360
                                                                                                                        • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                                        • Opcode Fuzzy Hash: 4859c672d659d0a1f097c4b87d24339a57335e4ea3a93cd47a728b5256189360
                                                                                                                        • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                                        Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExistsFilePath
                                                                                                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                        • API String ID: 1174141254-2800177040
                                                                                                                        • Opcode ID: f0c0cc8675646142fd89bdb58ed4d14c68212bf39b1608070b4045de8f02391f
                                                                                                                        • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                                        • Opcode Fuzzy Hash: f0c0cc8675646142fd89bdb58ed4d14c68212bf39b1608070b4045de8f02391f
                                                                                                                        • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                                        Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExistsFilePath
                                                                                                                        • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                        • API String ID: 1174141254-1629609700
                                                                                                                        • Opcode ID: 966ad1c0b9db51bdb62c7854b74a1cb959393fa177e577b0bdfcd7534c47b356
                                                                                                                        • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                                        • Opcode Fuzzy Hash: 966ad1c0b9db51bdb62c7854b74a1cb959393fa177e577b0bdfcd7534c47b356
                                                                                                                        • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                                        Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free
                                                                                                                        • String ID: $G
                                                                                                                        • API String ID: 269201875-4251033865
                                                                                                                        • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                                                        • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                                                                                                        • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                                                                                                        • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                                                                                                        Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                                          • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,00475100), ref: 0040A451
                                                                                                                          • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                          • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                                          • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                          • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,00475100), ref: 0040A479
                                                                                                                          • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475154,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                                          • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                        • String ID: [AltL]$[AltR]
                                                                                                                        • API String ID: 2738857842-2658077756
                                                                                                                        • Opcode ID: 6a80a69b360d983d43fc671acba1cdd0286d48cffeca5b30a3a99feab9c297c2
                                                                                                                        • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                                        • Opcode Fuzzy Hash: 6a80a69b360d983d43fc671acba1cdd0286d48cffeca5b30a3a99feab9c297c2
                                                                                                                        • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                                        Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ExecuteShell
                                                                                                                        • String ID: !D@$open
                                                                                                                        • API String ID: 587946157-1586967515
                                                                                                                        • Opcode ID: 362c1c5fd20623688fdc3d2448c9f4f4186b82f57ee2e05463dad5c5776c9df8
                                                                                                                        • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                                        • Opcode Fuzzy Hash: 362c1c5fd20623688fdc3d2448c9f4f4186b82f57ee2e05463dad5c5776c9df8
                                                                                                                        • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                                        Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: State
                                                                                                                        • String ID: [CtrlL]$[CtrlR]
                                                                                                                        • API String ID: 1649606143-2446555240
                                                                                                                        • Opcode ID: 68a21427a53fdb80c3da8a233085b44fd58d033cfb752835714686d39fb0ec3c
                                                                                                                        • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                                        • Opcode Fuzzy Hash: 68a21427a53fdb80c3da8a233085b44fd58d033cfb752835714686d39fb0ec3c
                                                                                                                        • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                                        Function 0043C218 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00449ADC: DeleteCriticalSection.KERNEL32(00471090,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                                                                                                          • Part of subcall function 00449ADC: _free.LIBCMT ref: 00449B4C
                                                                                                                          • Part of subcall function 00449B7C: _free.LIBCMT ref: 00449B9E
                                                                                                                        • DeleteCriticalSection.KERNEL32(005A3DC8), ref: 0043C241
                                                                                                                        • _free.LIBCMT ref: 0043C255
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: _free$CriticalDeleteSection
                                                                                                                        • String ID: =Z
                                                                                                                        • API String ID: 1906768660-90662088
                                                                                                                        • Opcode ID: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                                                                                                        • Instruction ID: 53b3c8965ed62865b06495ab0c988fe80dbb580c75aaeb32feec7d00177b517a
                                                                                                                        • Opcode Fuzzy Hash: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                                                                                                        • Instruction Fuzzy Hash: F8E04F328145208FEB71BB69FD4595A73E4EB4D325B12086FF80DA3165CAADAC809B4D
                                                                                                                        Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                        • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: Init_thread_footer__onexit
                                                                                                                        • String ID: <kG$@kG
                                                                                                                        • API String ID: 1881088180-1261746286
                                                                                                                        • Opcode ID: 3005333bcecaffa700c7528d759515cdbab9def11ce6217a52740adfeea124d5
                                                                                                                        • Instruction ID: b3c290aa7aaf28965b2d5d57398085964b0ab7c4475a0d5935719b6e6c356165
                                                                                                                        • Opcode Fuzzy Hash: 3005333bcecaffa700c7528d759515cdbab9def11ce6217a52740adfeea124d5
                                                                                                                        • Instruction Fuzzy Hash: 4BE0D8315049208AC510B75EE442AC53345DB0A324B21907BF414D72D2CBAE78C24E5D
                                                                                                                        Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752E8,00475300,?,pth_unenc), ref: 00413A6C
                                                                                                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                                                                                                        Strings
                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: DeleteOpenValue
                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                        • API String ID: 2654517830-1051519024
                                                                                                                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                        • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                        • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                                        Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ObjectProcessSingleTerminateWait
                                                                                                                        • String ID: pth_unenc
                                                                                                                        • API String ID: 1872346434-4028850238
                                                                                                                        • Opcode ID: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                                                                                                        • Instruction ID: 4cc810616d40180dbd1e9271652f71629269b6e9fac0605c61d014a2f2010889
                                                                                                                        • Opcode Fuzzy Hash: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                                                                                                        • Instruction Fuzzy Hash: B0D0C934189712EBD7220B70AE49B443A6CA705322F141360F429413F1C6A98894AA18
                                                                                                                        Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401BD9), ref: 00440D77
                                                                                                                        • GetLastError.KERNEL32 ref: 00440D85
                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1717984340-0
                                                                                                                        • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                        • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                                        • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                                                        • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                                        Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                                                        • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.4119523681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000000.00000002.4119504744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119560135.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119587308.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        • Associated: 00000000.00000002.4119618866.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Yara matches
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLastRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4100373531-0
                                                                                                                        • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                        • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                                        • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                        • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:6.2%
                                                                                                                        Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                        Signature Coverage:2.1%
                                                                                                                        Total number of Nodes:2000
                                                                                                                        Total number of Limit Nodes:67
                                                                                                                        execution_graph 37500 44dea5 37501 44deb5 FreeLibrary 37500->37501 37502 44dec3 37500->37502 37501->37502 37503 4287c1 37504 4287d2 37503->37504 37505 429ac1 37503->37505 37507 428818 37504->37507 37508 42881f 37504->37508 37523 425711 37504->37523 37517 425ad6 37505->37517 37573 415c56 11 API calls 37505->37573 37540 42013a 37507->37540 37568 420244 97 API calls 37508->37568 37511 4260dd 37567 424251 120 API calls 37511->37567 37515 4259da 37566 416760 11 API calls 37515->37566 37520 429a4d 37521 429a66 37520->37521 37522 429a9b 37520->37522 37569 415c56 11 API calls 37521->37569 37535 429a96 37522->37535 37571 416760 11 API calls 37522->37571 37523->37505 37523->37515 37523->37520 37524 422aeb memset memcpy memcpy 37523->37524 37527 4260a1 37523->37527 37536 4259c2 37523->37536 37539 425a38 37523->37539 37556 4227f0 memset memcpy 37523->37556 37557 422b84 15 API calls 37523->37557 37558 422b5d memset memcpy memcpy 37523->37558 37559 422640 13 API calls 37523->37559 37561 4241fc 11 API calls 37523->37561 37562 42413a 90 API calls 37523->37562 37524->37523 37565 415c56 11 API calls 37527->37565 37530 429a7a 37570 416760 11 API calls 37530->37570 37572 424251 120 API calls 37535->37572 37536->37517 37560 415c56 11 API calls 37536->37560 37539->37536 37563 422640 13 API calls 37539->37563 37564 4226e0 12 API calls 37539->37564 37541 42014c 37540->37541 37544 420151 37540->37544 37583 41e466 97 API calls 37541->37583 37543 420162 37543->37523 37544->37543 37545 4201b3 37544->37545 37546 420229 37544->37546 37547 4201b8 37545->37547 37548 4201dc 37545->37548 37546->37543 37549 41fd5e 86 API calls 37546->37549 37574 41fbdb 37547->37574 37548->37543 37552 4201ff 37548->37552 37580 41fc4c 37548->37580 37549->37543 37552->37543 37555 42013a 97 API calls 37552->37555 37555->37543 37556->37523 37557->37523 37558->37523 37559->37523 37560->37515 37561->37523 37562->37523 37563->37539 37564->37539 37565->37515 37566->37511 37567->37517 37568->37523 37569->37530 37570->37535 37571->37535 37572->37505 37573->37515 37575 41fbf1 37574->37575 37576 41fbf8 37574->37576 37579 41fc39 37575->37579 37598 4446ce 11 API calls 37575->37598 37588 41ee26 37576->37588 37579->37543 37584 41fd5e 37579->37584 37581 41ee6b 86 API calls 37580->37581 37582 41fc5d 37581->37582 37582->37548 37583->37544 37586 41fd65 37584->37586 37585 41fdab 37585->37543 37586->37585 37587 41fbdb 86 API calls 37586->37587 37587->37586 37589 41ee41 37588->37589 37590 41ee32 37588->37590 37599 41edad 37589->37599 37602 4446ce 11 API calls 37590->37602 37593 41ee3c 37593->37575 37596 41ee58 37596->37593 37604 41ee6b 37596->37604 37598->37579 37608 41be52 37599->37608 37602->37593 37603 41eb85 11 API calls 37603->37596 37605 41ee70 37604->37605 37606 41ee78 37604->37606 37664 41bf99 86 API calls 37605->37664 37606->37593 37609 41be6f 37608->37609 37610 41be5f 37608->37610 37614 41be8c 37609->37614 37629 418c63 37609->37629 37643 4446ce 11 API calls 37610->37643 37613 41be69 37613->37593 37613->37603 37614->37613 37616 41bf3a 37614->37616 37617 41bed1 37614->37617 37625 41bee7 37614->37625 37646 4446ce 11 API calls 37616->37646 37619 41bef0 37617->37619 37621 41bee2 37617->37621 37620 41bf01 37619->37620 37619->37625 37622 41bf24 memset 37620->37622 37624 41bf14 37620->37624 37644 418a6d memset memcpy memset 37620->37644 37633 41ac13 37621->37633 37622->37613 37645 41a223 memset memcpy memset 37624->37645 37625->37613 37647 41a453 86 API calls 37625->37647 37628 41bf20 37628->37622 37632 418c72 37629->37632 37630 418c94 37630->37614 37631 418d51 memset memset 37631->37630 37632->37630 37632->37631 37634 41ac52 37633->37634 37635 41ac3f memset 37633->37635 37637 41ac6a 37634->37637 37648 41dc14 19 API calls 37634->37648 37639 41acd9 37635->37639 37640 41aca1 37637->37640 37649 41519d 37637->37649 37639->37625 37640->37639 37641 41acc0 memset 37640->37641 37642 41accd memcpy 37640->37642 37641->37639 37642->37639 37643->37613 37644->37624 37645->37628 37646->37625 37648->37637 37652 4175ed 37649->37652 37660 417570 SetFilePointer 37652->37660 37655 41760a ReadFile 37656 417637 37655->37656 37657 417627 GetLastError 37655->37657 37658 4151b3 37656->37658 37659 41763e memset 37656->37659 37657->37658 37658->37640 37659->37658 37661 41759c GetLastError 37660->37661 37663 4175b2 37660->37663 37662 4175a8 GetLastError 37661->37662 37661->37663 37662->37663 37663->37655 37663->37658 37664->37606 37665 417bc5 37666 417c61 37665->37666 37671 417bda 37665->37671 37667 417bf6 UnmapViewOfFile CloseHandle 37667->37667 37667->37671 37669 417c2c 37669->37671 37677 41851e 20 API calls 37669->37677 37671->37666 37671->37667 37671->37669 37672 4175b7 37671->37672 37673 4175d6 CloseHandle 37672->37673 37674 4175c8 37673->37674 37675 4175df 37673->37675 37674->37675 37676 4175ce Sleep 37674->37676 37675->37671 37676->37673 37677->37669 37678 4152c7 malloc 37679 4152ef 37678->37679 37681 4152e2 37678->37681 37682 416760 11 API calls 37679->37682 37682->37681 37683 415308 free 37684 41276d 37685 41277d 37684->37685 37727 4044a4 LoadLibraryW 37685->37727 37687 412785 37719 412789 37687->37719 37735 414b81 37687->37735 37690 4127c8 37741 412465 memset ??2@YAPAXI 37690->37741 37692 4127ea 37753 40ac21 37692->37753 37697 412813 37771 40dd07 memset 37697->37771 37698 412827 37776 40db69 memset 37698->37776 37701 412822 37797 4125b6 ??3@YAXPAX 37701->37797 37703 40ada2 _wcsicmp 37704 41283d 37703->37704 37704->37701 37707 412863 CoInitialize 37704->37707 37781 41268e 37704->37781 37801 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37707->37801 37711 41296f 37803 40b633 37711->37803 37713 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37718 412957 CoUninitialize 37713->37718 37724 4128ca 37713->37724 37718->37701 37720 4128d0 TranslateAcceleratorW 37721 412941 GetMessageW 37720->37721 37720->37724 37721->37718 37721->37720 37722 412909 IsDialogMessageW 37722->37721 37722->37724 37723 4128fd IsDialogMessageW 37723->37721 37723->37722 37724->37720 37724->37722 37724->37723 37725 41292b TranslateMessage DispatchMessageW 37724->37725 37726 41291f IsDialogMessageW 37724->37726 37725->37721 37726->37721 37726->37725 37728 4044cf GetProcAddress 37727->37728 37732 4044f7 37727->37732 37729 4044e8 FreeLibrary 37728->37729 37730 4044df 37728->37730 37731 4044f3 37729->37731 37729->37732 37730->37729 37731->37732 37733 404507 MessageBoxW 37732->37733 37734 40451e 37732->37734 37733->37687 37734->37687 37736 414b8a 37735->37736 37737 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37735->37737 37807 40a804 memset 37736->37807 37737->37690 37740 414b9e GetProcAddress 37740->37737 37742 4124e0 37741->37742 37743 412505 ??2@YAPAXI 37742->37743 37744 41251c 37743->37744 37746 412521 37743->37746 37829 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37744->37829 37818 444722 37746->37818 37752 41259b wcscpy 37752->37692 37834 40b1ab free free 37753->37834 37755 40ad76 37835 40aa04 37755->37835 37758 40a9ce malloc memcpy free free 37761 40ac5c 37758->37761 37759 40ad4b 37759->37755 37858 40a9ce 37759->37858 37761->37755 37761->37758 37761->37759 37762 40ace7 free 37761->37762 37838 40a8d0 37761->37838 37850 4099f4 37761->37850 37762->37761 37766 40a8d0 7 API calls 37766->37755 37767 40ada2 37768 40adc9 37767->37768 37769 40adaa 37767->37769 37768->37697 37768->37698 37769->37768 37770 40adb3 _wcsicmp 37769->37770 37770->37768 37770->37769 37863 40dce0 37771->37863 37773 40dd3a GetModuleHandleW 37868 40dba7 37773->37868 37777 40dce0 3 API calls 37776->37777 37778 40db99 37777->37778 37940 40dae1 37778->37940 37954 402f3a 37781->37954 37783 412766 37783->37701 37783->37707 37784 4126d3 _wcsicmp 37785 4126a8 37784->37785 37785->37783 37785->37784 37787 41270a 37785->37787 37988 4125f8 7 API calls 37785->37988 37787->37783 37957 411ac5 37787->37957 37798 4125da 37797->37798 37799 4125f0 37798->37799 37800 4125e6 DeleteObject 37798->37800 37802 40b1ab free free 37799->37802 37800->37799 37801->37713 37802->37711 37804 40b640 37803->37804 37805 40b639 free 37803->37805 37806 40b1ab free free 37804->37806 37805->37804 37806->37719 37808 40a83b GetSystemDirectoryW 37807->37808 37809 40a84c wcscpy 37807->37809 37808->37809 37814 409719 wcslen 37809->37814 37812 40a881 LoadLibraryW 37813 40a886 37812->37813 37813->37737 37813->37740 37815 409724 37814->37815 37816 409739 wcscat LoadLibraryW 37814->37816 37815->37816 37817 40972c wcscat 37815->37817 37816->37812 37816->37813 37817->37816 37819 444732 37818->37819 37820 444728 DeleteObject 37818->37820 37830 409cc3 37819->37830 37820->37819 37822 412551 37823 4010f9 37822->37823 37824 401130 37823->37824 37825 401134 GetModuleHandleW LoadIconW 37824->37825 37826 401107 wcsncat 37824->37826 37827 40a7be 37825->37827 37826->37824 37828 40a7d2 37827->37828 37828->37752 37828->37828 37829->37746 37833 409bfd memset wcscpy 37830->37833 37832 409cdb CreateFontIndirectW 37832->37822 37833->37832 37834->37761 37836 40aa14 37835->37836 37837 40aa0a free 37835->37837 37836->37767 37837->37836 37839 40a8eb 37838->37839 37840 40a8df wcslen 37838->37840 37841 40a906 free 37839->37841 37842 40a90f 37839->37842 37840->37839 37843 40a919 37841->37843 37844 4099f4 3 API calls 37842->37844 37845 40a932 37843->37845 37846 40a929 free 37843->37846 37844->37843 37848 4099f4 3 API calls 37845->37848 37847 40a93e memcpy 37846->37847 37847->37761 37849 40a93d 37848->37849 37849->37847 37851 409a41 37850->37851 37852 4099fb malloc 37850->37852 37851->37761 37854 409a37 37852->37854 37855 409a1c 37852->37855 37854->37761 37856 409a30 free 37855->37856 37857 409a20 memcpy 37855->37857 37856->37854 37857->37856 37859 40a9e7 37858->37859 37860 40a9dc free 37858->37860 37862 4099f4 3 API calls 37859->37862 37861 40a9f2 37860->37861 37861->37766 37862->37861 37887 409bca GetModuleFileNameW 37863->37887 37865 40dce6 wcsrchr 37866 40dcf5 37865->37866 37867 40dcf9 wcscat 37865->37867 37866->37867 37867->37773 37888 44db70 37868->37888 37872 40dbfd 37891 4447d9 37872->37891 37875 40dc34 wcscpy wcscpy 37917 40d6f5 37875->37917 37876 40dc1f wcscpy 37876->37875 37879 40d6f5 3 API calls 37880 40dc73 37879->37880 37881 40d6f5 3 API calls 37880->37881 37882 40dc89 37881->37882 37883 40d6f5 3 API calls 37882->37883 37884 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37883->37884 37923 40da80 37884->37923 37887->37865 37889 40dbb4 memset memset 37888->37889 37890 409bca GetModuleFileNameW 37889->37890 37890->37872 37893 4447f4 37891->37893 37892 40dc1b 37892->37875 37892->37876 37893->37892 37894 444807 ??2@YAPAXI 37893->37894 37895 44481f 37894->37895 37896 444873 _snwprintf 37895->37896 37897 4448ab wcscpy 37895->37897 37930 44474a 8 API calls 37896->37930 37899 4448bb 37897->37899 37931 44474a 8 API calls 37899->37931 37900 4448a7 37900->37897 37900->37899 37902 4448cd 37932 44474a 8 API calls 37902->37932 37904 4448e2 37933 44474a 8 API calls 37904->37933 37906 4448f7 37934 44474a 8 API calls 37906->37934 37908 44490c 37935 44474a 8 API calls 37908->37935 37910 444921 37936 44474a 8 API calls 37910->37936 37912 444936 37937 44474a 8 API calls 37912->37937 37914 44494b 37938 44474a 8 API calls 37914->37938 37916 444960 ??3@YAXPAX 37916->37892 37918 44db70 37917->37918 37919 40d702 memset GetPrivateProfileStringW 37918->37919 37920 40d752 37919->37920 37921 40d75c WritePrivateProfileStringW 37919->37921 37920->37921 37922 40d758 37920->37922 37921->37922 37922->37879 37924 44db70 37923->37924 37925 40da8d memset 37924->37925 37926 40daac LoadStringW 37925->37926 37927 40dac6 37926->37927 37927->37926 37929 40dade 37927->37929 37939 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37927->37939 37929->37701 37930->37900 37931->37902 37932->37904 37933->37906 37934->37908 37935->37910 37936->37912 37937->37914 37938->37916 37939->37927 37950 409b98 GetFileAttributesW 37940->37950 37942 40daea 37943 40db63 37942->37943 37944 40daef wcscpy wcscpy GetPrivateProfileIntW 37942->37944 37943->37703 37951 40d65d GetPrivateProfileStringW 37944->37951 37946 40db3e 37952 40d65d GetPrivateProfileStringW 37946->37952 37948 40db4f 37953 40d65d GetPrivateProfileStringW 37948->37953 37950->37942 37951->37946 37952->37948 37953->37943 37989 40eaff 37954->37989 37958 411ae2 memset 37957->37958 37959 411b8f 37957->37959 38029 409bca GetModuleFileNameW 37958->38029 37971 411a8b 37959->37971 37961 411b0a wcsrchr 37962 411b22 wcscat 37961->37962 37963 411b1f 37961->37963 38030 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37962->38030 37963->37962 37965 411b67 38031 402afb 37965->38031 37969 411b7f 38087 40ea13 SendMessageW memset SendMessageW 37969->38087 37972 402afb 27 API calls 37971->37972 37973 411ac0 37972->37973 37974 4110dc 37973->37974 37975 41113e 37974->37975 37980 4110f0 37974->37980 38112 40969c LoadCursorW SetCursor 37975->38112 37977 411143 38113 4032b4 37977->38113 38131 444a54 37977->38131 37978 4110f7 _wcsicmp 37978->37980 37979 411157 37981 40ada2 _wcsicmp 37979->37981 37980->37975 37980->37978 38134 410c46 10 API calls 37980->38134 37984 411167 37981->37984 37982 4111af 37984->37982 37985 4111a6 qsort 37984->37985 37985->37982 37988->37785 37990 40eb10 37989->37990 38002 40e8e0 37990->38002 37993 40eb6c memcpy memcpy 37994 40ebb7 37993->37994 37994->37993 37995 40ebf2 ??2@YAPAXI ??2@YAPAXI 37994->37995 37997 40d134 16 API calls 37994->37997 37996 40ec2e ??2@YAPAXI 37995->37996 38000 40ec65 37995->38000 37996->38000 37997->37994 38000->38000 38012 40ea7f 38000->38012 38001 402f49 38001->37785 38003 40e8f2 38002->38003 38004 40e8eb ??3@YAXPAX 38002->38004 38005 40e900 38003->38005 38006 40e8f9 ??3@YAXPAX 38003->38006 38004->38003 38007 40e911 38005->38007 38008 40e90a ??3@YAXPAX 38005->38008 38006->38005 38009 40e931 ??2@YAPAXI ??2@YAPAXI 38007->38009 38010 40e921 ??3@YAXPAX 38007->38010 38011 40e92a ??3@YAXPAX 38007->38011 38008->38007 38009->37993 38010->38011 38011->38009 38013 40aa04 free 38012->38013 38014 40ea88 38013->38014 38015 40aa04 free 38014->38015 38016 40ea90 38015->38016 38017 40aa04 free 38016->38017 38018 40ea98 38017->38018 38019 40aa04 free 38018->38019 38020 40eaa0 38019->38020 38021 40a9ce 4 API calls 38020->38021 38022 40eab3 38021->38022 38023 40a9ce 4 API calls 38022->38023 38024 40eabd 38023->38024 38025 40a9ce 4 API calls 38024->38025 38026 40eac7 38025->38026 38027 40a9ce 4 API calls 38026->38027 38028 40ead1 38027->38028 38028->38001 38029->37961 38030->37965 38088 40b2cc 38031->38088 38033 402b0a 38034 40b2cc 27 API calls 38033->38034 38035 402b23 38034->38035 38036 40b2cc 27 API calls 38035->38036 38037 402b3a 38036->38037 38038 40b2cc 27 API calls 38037->38038 38039 402b54 38038->38039 38040 40b2cc 27 API calls 38039->38040 38041 402b6b 38040->38041 38042 40b2cc 27 API calls 38041->38042 38043 402b82 38042->38043 38044 40b2cc 27 API calls 38043->38044 38045 402b99 38044->38045 38046 40b2cc 27 API calls 38045->38046 38047 402bb0 38046->38047 38048 40b2cc 27 API calls 38047->38048 38049 402bc7 38048->38049 38050 40b2cc 27 API calls 38049->38050 38051 402bde 38050->38051 38052 40b2cc 27 API calls 38051->38052 38053 402bf5 38052->38053 38054 40b2cc 27 API calls 38053->38054 38055 402c0c 38054->38055 38056 40b2cc 27 API calls 38055->38056 38057 402c23 38056->38057 38058 40b2cc 27 API calls 38057->38058 38059 402c3a 38058->38059 38060 40b2cc 27 API calls 38059->38060 38061 402c51 38060->38061 38062 40b2cc 27 API calls 38061->38062 38063 402c68 38062->38063 38064 40b2cc 27 API calls 38063->38064 38065 402c7f 38064->38065 38066 40b2cc 27 API calls 38065->38066 38067 402c99 38066->38067 38068 40b2cc 27 API calls 38067->38068 38069 402cb3 38068->38069 38070 40b2cc 27 API calls 38069->38070 38071 402cd5 38070->38071 38072 40b2cc 27 API calls 38071->38072 38073 402cf0 38072->38073 38074 40b2cc 27 API calls 38073->38074 38075 402d0b 38074->38075 38076 40b2cc 27 API calls 38075->38076 38077 402d26 38076->38077 38078 40b2cc 27 API calls 38077->38078 38079 402d3e 38078->38079 38080 40b2cc 27 API calls 38079->38080 38081 402d59 38080->38081 38082 40b2cc 27 API calls 38081->38082 38083 402d78 38082->38083 38084 40b2cc 27 API calls 38083->38084 38085 402d93 38084->38085 38086 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38085->38086 38086->37969 38087->37959 38091 40b58d 38088->38091 38090 40b2d1 38090->38033 38092 40b5a4 GetModuleHandleW FindResourceW 38091->38092 38093 40b62e 38091->38093 38094 40b5c2 LoadResource 38092->38094 38096 40b5e7 38092->38096 38093->38090 38095 40b5d0 SizeofResource LockResource 38094->38095 38094->38096 38095->38096 38096->38093 38104 40afcf 38096->38104 38098 40b608 memcpy 38107 40b4d3 memcpy 38098->38107 38100 40b61e 38108 40b3c1 18 API calls 38100->38108 38102 40b626 38109 40b04b 38102->38109 38105 40b04b ??3@YAXPAX 38104->38105 38106 40afd7 ??2@YAPAXI 38105->38106 38106->38098 38107->38100 38108->38102 38110 40b051 ??3@YAXPAX 38109->38110 38111 40b05f 38109->38111 38110->38111 38111->38093 38112->37977 38114 4032c4 38113->38114 38115 40b633 free 38114->38115 38116 403316 38115->38116 38135 44553b 38116->38135 38120 403480 38333 40368c 15 API calls 38120->38333 38122 403489 38123 40b633 free 38122->38123 38124 403495 38123->38124 38124->37979 38125 4033a9 memset memcpy 38126 4033ec wcscmp 38125->38126 38127 40333c 38125->38127 38126->38127 38127->38120 38127->38125 38127->38126 38331 4028e7 11 API calls 38127->38331 38332 40f508 6 API calls 38127->38332 38129 403421 _wcsicmp 38129->38127 38132 444a64 FreeLibrary 38131->38132 38133 444a83 38131->38133 38132->38133 38133->37979 38134->37980 38136 445548 38135->38136 38137 445599 38136->38137 38334 40c768 38136->38334 38138 4455a8 memset 38137->38138 38150 4457f2 38137->38150 38417 403988 38138->38417 38145 4458aa 38147 44594a 38145->38147 38148 4458bb memset memset 38145->38148 38146 445672 38428 403fbe memset memset memset memset memset 38146->38428 38152 4459ed 38147->38152 38153 44595e memset memset 38147->38153 38155 414c2e 17 API calls 38148->38155 38157 445854 38150->38157 38519 403e2d memset memset memset memset memset 38150->38519 38160 445a00 memset memset 38152->38160 38161 445b22 38152->38161 38162 414c2e 17 API calls 38153->38162 38154 4455e5 38154->38146 38165 44560f 38154->38165 38163 4458f9 38155->38163 38156 44557a 38158 44558c 38156->38158 38615 4136c0 CoTaskMemFree 38156->38615 38157->38145 38542 403c9c memset memset memset memset memset 38157->38542 38401 444b06 38158->38401 38565 414c2e 38160->38565 38168 445bca 38161->38168 38169 445b38 memset memset memset 38161->38169 38173 44599c 38162->38173 38164 40b2cc 27 API calls 38163->38164 38174 445909 38164->38174 38176 4087b3 338 API calls 38165->38176 38167 445849 38631 40b1ab free free 38167->38631 38175 445c8b memset memset 38168->38175 38232 445cf0 38168->38232 38179 445bd4 38169->38179 38180 445b98 38169->38180 38183 40b2cc 27 API calls 38173->38183 38192 409d1f 6 API calls 38174->38192 38184 414c2e 17 API calls 38175->38184 38193 445621 38176->38193 38177 445585 38616 41366b FreeLibrary 38177->38616 38178 44589f 38632 40b1ab free free 38178->38632 38190 414c2e 17 API calls 38179->38190 38180->38179 38186 445ba2 38180->38186 38195 4459ac 38183->38195 38196 445cc9 38184->38196 38704 4099c6 wcslen 38186->38704 38187 4456b2 38619 40b1ab free free 38187->38619 38189 40b2cc 27 API calls 38199 445a4f 38189->38199 38201 445be2 38190->38201 38191 403335 38330 4452e5 45 API calls 38191->38330 38204 445919 38192->38204 38617 4454bf 20 API calls 38193->38617 38194 445823 38194->38167 38213 4087b3 338 API calls 38194->38213 38205 409d1f 6 API calls 38195->38205 38207 409d1f 6 API calls 38196->38207 38197 445879 38197->38178 38217 4087b3 338 API calls 38197->38217 38581 409d1f wcslen wcslen 38199->38581 38211 40b2cc 27 API calls 38201->38211 38202 445d3d 38230 40b2cc 27 API calls 38202->38230 38203 445d88 memset memset memset 38214 414c2e 17 API calls 38203->38214 38633 409b98 GetFileAttributesW 38204->38633 38206 4459bc 38205->38206 38700 409b98 GetFileAttributesW 38206->38700 38216 445ce1 38207->38216 38208 445bb3 38707 445403 memset 38208->38707 38209 445680 38209->38187 38451 4087b3 memset 38209->38451 38220 445bf3 38211->38220 38213->38194 38223 445dde 38214->38223 38724 409b98 GetFileAttributesW 38216->38724 38217->38197 38229 409d1f 6 API calls 38220->38229 38221 445928 38221->38147 38634 40b6ef 38221->38634 38231 40b2cc 27 API calls 38223->38231 38224 4459cb 38224->38152 38241 40b6ef 253 API calls 38224->38241 38228 40b2cc 27 API calls 38234 445a94 38228->38234 38236 445c07 38229->38236 38237 445d54 _wcsicmp 38230->38237 38240 445def 38231->38240 38232->38191 38232->38202 38232->38203 38233 445389 259 API calls 38233->38168 38586 40ae18 38234->38586 38235 44566d 38235->38150 38502 413d4c 38235->38502 38244 445389 259 API calls 38236->38244 38245 445d71 38237->38245 38307 445d67 38237->38307 38239 445665 38618 40b1ab free free 38239->38618 38246 409d1f 6 API calls 38240->38246 38241->38152 38249 445c17 38244->38249 38725 445093 23 API calls 38245->38725 38252 445e03 38246->38252 38248 4456d8 38254 40b2cc 27 API calls 38248->38254 38255 40b2cc 27 API calls 38249->38255 38251 44563c 38251->38239 38257 4087b3 338 API calls 38251->38257 38726 409b98 GetFileAttributesW 38252->38726 38253 40b6ef 253 API calls 38253->38191 38260 4456e2 38254->38260 38261 445c23 38255->38261 38256 445d83 38256->38191 38257->38251 38259 445e12 38265 445e6b 38259->38265 38269 40b2cc 27 API calls 38259->38269 38620 413fa6 _wcsicmp _wcsicmp 38260->38620 38264 409d1f 6 API calls 38261->38264 38267 445c37 38264->38267 38728 445093 23 API calls 38265->38728 38266 4456eb 38272 4456fd memset memset memset memset 38266->38272 38273 4457ea 38266->38273 38274 445389 259 API calls 38267->38274 38268 445b17 38701 40aebe 38268->38701 38276 445e33 38269->38276 38621 409c70 wcscpy wcsrchr 38272->38621 38624 413d29 38273->38624 38280 445c47 38274->38280 38281 409d1f 6 API calls 38276->38281 38278 445e7e 38282 445f67 38278->38282 38285 40b2cc 27 API calls 38280->38285 38286 445e47 38281->38286 38287 40b2cc 27 API calls 38282->38287 38283 445ab2 memset 38288 40b2cc 27 API calls 38283->38288 38290 445c53 38285->38290 38727 409b98 GetFileAttributesW 38286->38727 38292 445f73 38287->38292 38293 445aa1 38288->38293 38289 409c70 2 API calls 38294 44577e 38289->38294 38295 409d1f 6 API calls 38290->38295 38297 409d1f 6 API calls 38292->38297 38293->38268 38293->38283 38298 409d1f 6 API calls 38293->38298 38593 40add4 38293->38593 38598 445389 38293->38598 38607 40ae51 38293->38607 38299 409c70 2 API calls 38294->38299 38300 445c67 38295->38300 38296 445e56 38296->38265 38304 445e83 memset 38296->38304 38301 445f87 38297->38301 38298->38293 38302 44578d 38299->38302 38303 445389 259 API calls 38300->38303 38731 409b98 GetFileAttributesW 38301->38731 38302->38273 38309 40b2cc 27 API calls 38302->38309 38303->38168 38308 40b2cc 27 API calls 38304->38308 38307->38191 38307->38253 38311 445eab 38308->38311 38310 4457a8 38309->38310 38312 409d1f 6 API calls 38310->38312 38313 409d1f 6 API calls 38311->38313 38314 4457b8 38312->38314 38315 445ebf 38313->38315 38623 409b98 GetFileAttributesW 38314->38623 38317 40ae18 9 API calls 38315->38317 38325 445ef5 38317->38325 38318 4457c7 38318->38273 38320 4087b3 338 API calls 38318->38320 38319 40ae51 9 API calls 38319->38325 38320->38273 38321 445f5c 38322 40aebe FindClose 38321->38322 38322->38282 38323 40add4 2 API calls 38323->38325 38324 40b2cc 27 API calls 38324->38325 38325->38319 38325->38321 38325->38323 38325->38324 38326 409d1f 6 API calls 38325->38326 38328 445f3a 38325->38328 38729 409b98 GetFileAttributesW 38325->38729 38326->38325 38730 445093 23 API calls 38328->38730 38330->38127 38331->38129 38332->38127 38333->38122 38335 40c775 38334->38335 38732 40b1ab free free 38335->38732 38337 40c788 38733 40b1ab free free 38337->38733 38339 40c790 38734 40b1ab free free 38339->38734 38341 40c798 38342 40aa04 free 38341->38342 38343 40c7a0 38342->38343 38735 40c274 memset 38343->38735 38348 40a8ab 9 API calls 38349 40c7c3 38348->38349 38350 40a8ab 9 API calls 38349->38350 38351 40c7d0 38350->38351 38764 40c3c3 38351->38764 38355 40c877 38364 40bdb0 38355->38364 38356 40c86c 38806 4053fe 39 API calls 38356->38806 38362 40c7e5 38362->38355 38362->38356 38363 40c634 50 API calls 38362->38363 38789 40a706 38362->38789 38363->38362 39069 404363 38364->39069 38368 40bdee 38371 40b2cc 27 API calls 38368->38371 38373 40bf5d 38368->38373 38369 40bddf CredEnumerateW 38369->38368 38372 40be02 wcslen 38371->38372 38372->38373 38381 40be1e 38372->38381 39089 40440c 38373->39089 38374 40be26 wcsncmp 38374->38381 38377 40be7d memset 38378 40bea7 memcpy 38377->38378 38377->38381 38379 40bf11 wcschr 38378->38379 38378->38381 38379->38381 38380 40b2cc 27 API calls 38382 40bef6 _wcsnicmp 38380->38382 38381->38373 38381->38374 38381->38377 38381->38378 38381->38379 38381->38380 38383 40bf43 LocalFree 38381->38383 39092 40bd5d 28 API calls 38381->39092 39093 404423 38381->39093 38382->38379 38382->38381 38383->38381 38384 4135f7 39108 4135e0 38384->39108 38387 40b2cc 27 API calls 38388 41360d 38387->38388 38389 40a804 8 API calls 38388->38389 38390 413613 38389->38390 38391 41361b 38390->38391 38392 41363e 38390->38392 38393 40b273 27 API calls 38391->38393 38394 4135e0 FreeLibrary 38392->38394 38395 413625 GetProcAddress 38393->38395 38396 413643 38394->38396 38395->38392 38397 413648 38395->38397 38396->38156 38398 413658 38397->38398 38399 4135e0 FreeLibrary 38397->38399 38398->38156 38400 413666 38399->38400 38400->38156 39111 4449b9 38401->39111 38404 444c1f 38404->38137 38405 4449b9 42 API calls 38407 444b4b 38405->38407 38406 444c15 38409 4449b9 42 API calls 38406->38409 38407->38406 39132 444972 GetVersionExW 38407->39132 38409->38404 38410 444b99 memcmp 38415 444b8c 38410->38415 38411 444c0b 39136 444a85 42 API calls 38411->39136 38415->38410 38415->38411 39133 444aa5 42 API calls 38415->39133 39134 40a7a0 GetVersionExW 38415->39134 39135 444a85 42 API calls 38415->39135 38418 40399d 38417->38418 39137 403a16 38418->39137 38421 403a12 wcsrchr 38421->38154 38422 4039a3 38425 4039f4 38422->38425 38427 403a09 38422->38427 39148 40a02c CreateFileW 38422->39148 38426 4099c6 2 API calls 38425->38426 38425->38427 38426->38427 39151 40b1ab free free 38427->39151 38429 414c2e 17 API calls 38428->38429 38430 404048 38429->38430 38431 414c2e 17 API calls 38430->38431 38432 404056 38431->38432 38433 409d1f 6 API calls 38432->38433 38434 404073 38433->38434 38435 409d1f 6 API calls 38434->38435 38436 40408e 38435->38436 38437 409d1f 6 API calls 38436->38437 38438 4040a6 38437->38438 38439 403af5 20 API calls 38438->38439 38440 4040ba 38439->38440 38441 403af5 20 API calls 38440->38441 38442 4040cb 38441->38442 39178 40414f memset 38442->39178 38444 404140 39192 40b1ab free free 38444->39192 38446 4040ec memset 38449 4040e0 38446->38449 38447 404148 38447->38209 38448 4099c6 2 API calls 38448->38449 38449->38444 38449->38446 38449->38448 38450 40a8ab 9 API calls 38449->38450 38450->38449 39205 40a6e6 WideCharToMultiByte 38451->39205 38453 4087ed 39206 4095d9 memset 38453->39206 38456 408809 memset memset memset memset memset 38457 40b2cc 27 API calls 38456->38457 38458 4088a1 38457->38458 38459 409d1f 6 API calls 38458->38459 38460 4088b1 38459->38460 38461 40b2cc 27 API calls 38460->38461 38462 4088c0 38461->38462 38463 409d1f 6 API calls 38462->38463 38464 4088d0 38463->38464 38465 40b2cc 27 API calls 38464->38465 38466 4088df 38465->38466 38467 409d1f 6 API calls 38466->38467 38468 4088ef 38467->38468 38484 408953 38484->38209 38503 40b633 free 38502->38503 38504 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38503->38504 38505 413f00 Process32NextW 38504->38505 38506 413da5 OpenProcess 38505->38506 38507 413f17 CloseHandle 38505->38507 38508 413df3 memset 38506->38508 38511 413eb0 38506->38511 38507->38248 39631 413f27 38508->39631 38510 413ebf free 38510->38511 38511->38505 38511->38510 38512 4099f4 3 API calls 38511->38512 38512->38511 38513 413e37 GetModuleHandleW 38515 413e46 GetProcAddress 38513->38515 38516 413e1f 38513->38516 38515->38516 38516->38513 39636 413959 38516->39636 39652 413ca4 38516->39652 38518 413ea2 CloseHandle 38518->38511 38520 414c2e 17 API calls 38519->38520 38521 403eb7 38520->38521 38522 414c2e 17 API calls 38521->38522 38523 403ec5 38522->38523 38524 409d1f 6 API calls 38523->38524 38525 403ee2 38524->38525 38526 409d1f 6 API calls 38525->38526 38527 403efd 38526->38527 38528 409d1f 6 API calls 38527->38528 38529 403f15 38528->38529 38530 403af5 20 API calls 38529->38530 38531 403f29 38530->38531 38532 403af5 20 API calls 38531->38532 38533 403f3a 38532->38533 38534 40414f 33 API calls 38533->38534 38540 403f4f 38534->38540 38535 403faf 39666 40b1ab free free 38535->39666 38537 403f5b memset 38537->38540 38538 403fb7 38538->38194 38539 4099c6 2 API calls 38539->38540 38540->38535 38540->38537 38540->38539 38541 40a8ab 9 API calls 38540->38541 38541->38540 38543 414c2e 17 API calls 38542->38543 38544 403d26 38543->38544 38545 414c2e 17 API calls 38544->38545 38546 403d34 38545->38546 38547 409d1f 6 API calls 38546->38547 38548 403d51 38547->38548 38549 409d1f 6 API calls 38548->38549 38550 403d6c 38549->38550 38551 409d1f 6 API calls 38550->38551 38552 403d84 38551->38552 38553 403af5 20 API calls 38552->38553 38554 403d98 38553->38554 38555 403af5 20 API calls 38554->38555 38556 403da9 38555->38556 38557 40414f 33 API calls 38556->38557 38563 403dbe 38557->38563 38558 403e1e 39667 40b1ab free free 38558->39667 38560 403dca memset 38560->38563 38561 403e26 38561->38197 38562 4099c6 2 API calls 38562->38563 38563->38558 38563->38560 38563->38562 38564 40a8ab 9 API calls 38563->38564 38564->38563 38566 414b81 9 API calls 38565->38566 38567 414c40 38566->38567 38568 414c73 memset 38567->38568 39668 409cea 38567->39668 38570 414c94 38568->38570 39671 414592 RegOpenKeyExW 38570->39671 38572 414c64 SHGetSpecialFolderPathW 38575 414d0b 38572->38575 38573 414cc1 38576 414cf4 wcscpy 38573->38576 39672 414bb0 wcscpy 38573->39672 38575->38189 38576->38575 38578 414cd2 39673 4145ac RegQueryValueExW 38578->39673 38580 414ce9 RegCloseKey 38580->38576 38582 409d62 38581->38582 38583 409d43 wcscpy 38581->38583 38582->38228 38584 409719 2 API calls 38583->38584 38585 409d51 wcscat 38584->38585 38585->38582 38587 40aebe FindClose 38586->38587 38588 40ae21 38587->38588 38589 4099c6 2 API calls 38588->38589 38590 40ae35 38589->38590 38591 409d1f 6 API calls 38590->38591 38592 40ae49 38591->38592 38592->38293 38594 40ade0 38593->38594 38595 40ae0f 38593->38595 38594->38595 38596 40ade7 wcscmp 38594->38596 38595->38293 38596->38595 38597 40adfe wcscmp 38596->38597 38597->38595 38599 40ae18 9 API calls 38598->38599 38601 4453c4 38599->38601 38600 40ae51 9 API calls 38600->38601 38601->38600 38602 4453f3 38601->38602 38603 40add4 2 API calls 38601->38603 38606 445403 254 API calls 38601->38606 38604 40aebe FindClose 38602->38604 38603->38601 38605 4453fe 38604->38605 38605->38293 38606->38601 38608 40ae7b FindNextFileW 38607->38608 38609 40ae5c FindFirstFileW 38607->38609 38610 40ae94 38608->38610 38611 40ae8f 38608->38611 38609->38610 38613 40aeb6 38610->38613 38614 409d1f 6 API calls 38610->38614 38612 40aebe FindClose 38611->38612 38612->38610 38613->38293 38614->38613 38615->38177 38616->38158 38617->38251 38618->38235 38619->38235 38620->38266 38622 409c89 38621->38622 38622->38289 38623->38318 38625 413d39 38624->38625 38626 413d2f FreeLibrary 38624->38626 38627 40b633 free 38625->38627 38626->38625 38628 413d42 38627->38628 38629 40b633 free 38628->38629 38630 413d4a 38629->38630 38630->38150 38631->38157 38632->38145 38633->38221 38635 44db70 38634->38635 38636 40b6fc memset 38635->38636 38637 409c70 2 API calls 38636->38637 38638 40b732 wcsrchr 38637->38638 38639 40b743 38638->38639 38640 40b746 memset 38638->38640 38639->38640 38641 40b2cc 27 API calls 38640->38641 38642 40b76f 38641->38642 38643 409d1f 6 API calls 38642->38643 38644 40b783 38643->38644 39674 409b98 GetFileAttributesW 38644->39674 38646 40b792 38647 40b7c2 38646->38647 38648 409c70 2 API calls 38646->38648 39675 40bb98 38647->39675 38650 40b7a5 38648->38650 38654 40b2cc 27 API calls 38650->38654 38652 40b837 CloseHandle 38656 40b83e memset 38652->38656 38653 40b817 38655 409a45 3 API calls 38653->38655 38657 40b7b2 38654->38657 38658 40b827 CopyFileW 38655->38658 39708 40a6e6 WideCharToMultiByte 38656->39708 38660 409d1f 6 API calls 38657->38660 38658->38656 38660->38647 38661 40b866 38662 444432 121 API calls 38661->38662 38663 40b879 38662->38663 38664 40bad5 38663->38664 38665 40b273 27 API calls 38663->38665 38666 40baeb 38664->38666 38667 40bade DeleteFileW 38664->38667 38668 40b89a 38665->38668 38669 40b04b ??3@YAXPAX 38666->38669 38667->38666 38671 438552 134 API calls 38668->38671 38670 40baf3 38669->38670 38670->38147 38672 40b8a4 38671->38672 38673 40bacd 38672->38673 38675 4251c4 137 API calls 38672->38675 38674 443d90 111 API calls 38673->38674 38674->38664 38697 40b8b8 38675->38697 38676 40bac6 39718 424f26 123 API calls 38676->39718 38677 40b8bd memset 39709 425413 17 API calls 38677->39709 38680 425413 17 API calls 38680->38697 38683 40a71b MultiByteToWideChar 38683->38697 38686 40b9b5 memcmp 38686->38697 38687 4099c6 2 API calls 38687->38697 38688 404423 38 API calls 38688->38697 38691 4251c4 137 API calls 38691->38697 38692 40bb3e memset memcpy 39719 40a734 MultiByteToWideChar 38692->39719 38694 40bb88 LocalFree 38694->38697 38697->38676 38697->38677 38697->38680 38697->38683 38697->38686 38697->38687 38697->38688 38697->38691 38697->38692 38698 40ba5f memcmp 38697->38698 38699 40a734 MultiByteToWideChar 38697->38699 39710 4253ef 16 API calls 38697->39710 39711 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38697->39711 39712 4253af 17 API calls 38697->39712 39713 4253cf 17 API calls 38697->39713 39714 447280 memset 38697->39714 39715 447960 memset memcpy memcpy memcpy 38697->39715 39716 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38697->39716 39717 447920 memcpy memcpy memcpy 38697->39717 38698->38697 38699->38697 38700->38224 38702 40aed1 38701->38702 38703 40aec7 FindClose 38701->38703 38702->38161 38703->38702 38705 4099d7 38704->38705 38706 4099da memcpy 38704->38706 38705->38706 38706->38208 38708 40b2cc 27 API calls 38707->38708 38709 44543f 38708->38709 38710 409d1f 6 API calls 38709->38710 38711 44544f 38710->38711 39803 409b98 GetFileAttributesW 38711->39803 38713 44545e 38714 445476 38713->38714 38715 40b6ef 253 API calls 38713->38715 38716 40b2cc 27 API calls 38714->38716 38715->38714 38717 445482 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 445492 38718->38719 39804 409b98 GetFileAttributesW 38719->39804 38721 4454a1 38722 4454b9 38721->38722 38723 40b6ef 253 API calls 38721->38723 38722->38233 38723->38722 38724->38232 38725->38256 38726->38259 38727->38296 38728->38278 38729->38325 38730->38325 38731->38307 38732->38337 38733->38339 38734->38341 38736 414c2e 17 API calls 38735->38736 38737 40c2ae 38736->38737 38807 40c1d3 38737->38807 38742 40c3be 38759 40a8ab 38742->38759 38743 40afcf 2 API calls 38744 40c2fd FindFirstUrlCacheEntryW 38743->38744 38745 40c3b6 38744->38745 38746 40c31e wcschr 38744->38746 38747 40b04b ??3@YAXPAX 38745->38747 38748 40c331 38746->38748 38749 40c35e FindNextUrlCacheEntryW 38746->38749 38747->38742 38751 40a8ab 9 API calls 38748->38751 38749->38746 38750 40c373 GetLastError 38749->38750 38752 40c3ad FindCloseUrlCache 38750->38752 38753 40c37e 38750->38753 38754 40c33e wcschr 38751->38754 38752->38745 38755 40afcf 2 API calls 38753->38755 38754->38749 38756 40c34f 38754->38756 38757 40c391 FindNextUrlCacheEntryW 38755->38757 38758 40a8ab 9 API calls 38756->38758 38757->38746 38757->38752 38758->38749 38996 40a97a 38759->38996 38762 40a8cc 38762->38348 38763 40a8d0 7 API calls 38763->38762 39001 40b1ab free free 38764->39001 38766 40c3dd 38767 40b2cc 27 API calls 38766->38767 38768 40c3e7 38767->38768 39002 414592 RegOpenKeyExW 38768->39002 38770 40c3f4 38771 40c50e 38770->38771 38772 40c3ff 38770->38772 38786 405337 38771->38786 38773 40a9ce 4 API calls 38772->38773 38774 40c418 memset 38773->38774 39003 40aa1d 38774->39003 38777 40c471 38779 40c47a _wcsupr 38777->38779 38778 40c505 RegCloseKey 38778->38771 38780 40a8d0 7 API calls 38779->38780 38781 40c498 38780->38781 38782 40a8d0 7 API calls 38781->38782 38783 40c4ac memset 38782->38783 38784 40aa1d 38783->38784 38785 40c4e4 RegEnumValueW 38784->38785 38785->38778 38785->38779 39005 405220 38786->39005 38790 4099c6 2 API calls 38789->38790 38791 40a714 _wcslwr 38790->38791 38792 40c634 38791->38792 39062 405361 38792->39062 38795 40c65c wcslen 39065 4053b6 39 API calls 38795->39065 38796 40c71d wcslen 38796->38362 38798 40c677 38799 40c713 38798->38799 39066 40538b 39 API calls 38798->39066 39068 4053df 39 API calls 38799->39068 38802 40c6a5 38802->38799 38803 40c6a9 memset 38802->38803 38804 40c6d3 38803->38804 39067 40c589 44 API calls 38804->39067 38806->38355 38808 40ae18 9 API calls 38807->38808 38814 40c210 38808->38814 38809 40ae51 9 API calls 38809->38814 38810 40c264 38811 40aebe FindClose 38810->38811 38813 40c26f 38811->38813 38812 40add4 2 API calls 38812->38814 38819 40e5ed memset memset 38813->38819 38814->38809 38814->38810 38814->38812 38815 40c231 _wcsicmp 38814->38815 38816 40c1d3 35 API calls 38814->38816 38815->38814 38817 40c248 38815->38817 38816->38814 38832 40c084 22 API calls 38817->38832 38820 414c2e 17 API calls 38819->38820 38821 40e63f 38820->38821 38822 409d1f 6 API calls 38821->38822 38823 40e658 38822->38823 38833 409b98 GetFileAttributesW 38823->38833 38825 40e667 38827 409d1f 6 API calls 38825->38827 38829 40e680 38825->38829 38827->38829 38828 40e68f 38830 40c2d8 38828->38830 38835 40e4b2 38828->38835 38834 409b98 GetFileAttributesW 38829->38834 38830->38742 38830->38743 38832->38814 38833->38825 38834->38828 38856 40e01e 38835->38856 38837 40e593 38838 40e5b0 38837->38838 38839 40e59c DeleteFileW 38837->38839 38840 40b04b ??3@YAXPAX 38838->38840 38839->38838 38842 40e5bb 38840->38842 38841 40e521 38841->38837 38879 40e175 38841->38879 38844 40e5c4 CloseHandle 38842->38844 38845 40e5cc 38842->38845 38844->38845 38847 40b633 free 38845->38847 38846 40e573 38849 40e584 38846->38849 38850 40e57c CloseHandle 38846->38850 38848 40e5db 38847->38848 38853 40b633 free 38848->38853 38922 40b1ab free free 38849->38922 38850->38849 38852 40e540 38852->38846 38899 40e2ab 38852->38899 38854 40e5e3 38853->38854 38854->38830 38923 406214 38856->38923 38859 40e16b 38859->38841 38862 40afcf 2 API calls 38863 40e08d OpenProcess 38862->38863 38864 40e0a4 GetCurrentProcess DuplicateHandle 38863->38864 38868 40e152 38863->38868 38865 40e0d0 GetFileSize 38864->38865 38866 40e14a CloseHandle 38864->38866 38959 409a45 GetTempPathW 38865->38959 38866->38868 38867 40e160 38871 40b04b ??3@YAXPAX 38867->38871 38868->38867 38870 406214 22 API calls 38868->38870 38870->38867 38871->38859 38872 40e0ea 38962 4096dc CreateFileW 38872->38962 38874 40e0f1 CreateFileMappingW 38875 40e140 CloseHandle CloseHandle 38874->38875 38876 40e10b MapViewOfFile 38874->38876 38875->38866 38877 40e13b CloseHandle 38876->38877 38878 40e11f WriteFile UnmapViewOfFile 38876->38878 38877->38875 38878->38877 38880 40e18c 38879->38880 38963 406b90 38880->38963 38883 40e1a7 memset 38889 40e1e8 38883->38889 38884 40e299 38973 4069a3 38884->38973 38890 40e283 38889->38890 38891 40dd50 _wcsicmp 38889->38891 38897 40e244 _snwprintf 38889->38897 38980 406e8f 13 API calls 38889->38980 38981 40742e 8 API calls 38889->38981 38982 40aae3 wcslen wcslen _memicmp 38889->38982 38983 406b53 SetFilePointerEx ReadFile 38889->38983 38892 40e291 38890->38892 38893 40e288 free 38890->38893 38891->38889 38894 40aa04 free 38892->38894 38893->38892 38894->38884 38898 40a8d0 7 API calls 38897->38898 38898->38889 38900 40e2c2 38899->38900 38901 406b90 11 API calls 38900->38901 38916 40e2d3 38901->38916 38902 40e4a0 38903 4069a3 2 API calls 38902->38903 38904 40e4ab 38903->38904 38904->38852 38907 40e489 38908 40aa04 free 38907->38908 38910 40e491 38908->38910 38909 40dd50 _wcsicmp 38909->38916 38910->38902 38911 40e497 free 38910->38911 38911->38902 38913 40e376 memset 38986 40aa29 38913->38986 38916->38902 38916->38907 38916->38909 38917 40e3e0 memcpy 38916->38917 38918 40e3b3 wcschr 38916->38918 38919 40e3fb memcpy 38916->38919 38920 40e416 memcpy 38916->38920 38921 40e431 memcpy 38916->38921 38984 406e8f 13 API calls 38916->38984 38985 40dd50 _wcsicmp 38916->38985 38994 40742e 8 API calls 38916->38994 38995 406b53 SetFilePointerEx ReadFile 38916->38995 38917->38916 38918->38916 38919->38916 38920->38916 38921->38916 38922->38837 38924 406294 CloseHandle 38923->38924 38925 406224 38924->38925 38926 4096c3 CreateFileW 38925->38926 38927 40622d 38926->38927 38928 406281 GetLastError 38927->38928 38930 40a2ef ReadFile 38927->38930 38929 40625a 38928->38929 38929->38859 38934 40dd85 memset 38929->38934 38931 406244 38930->38931 38931->38928 38932 40624b 38931->38932 38932->38929 38933 406777 19 API calls 38932->38933 38933->38929 38935 409bca GetModuleFileNameW 38934->38935 38936 40ddbe CreateFileW 38935->38936 38939 40ddf1 38936->38939 38937 40afcf ??2@YAPAXI ??3@YAXPAX 38937->38939 38938 41352f 9 API calls 38938->38939 38939->38937 38939->38938 38940 40de0b NtQuerySystemInformation 38939->38940 38941 40de3b CloseHandle GetCurrentProcessId 38939->38941 38940->38939 38942 40de54 38941->38942 38943 413d4c 46 API calls 38942->38943 38951 40de88 38943->38951 38944 40e00c 38945 413d29 free FreeLibrary 38944->38945 38946 40e014 38945->38946 38946->38859 38946->38862 38947 40dea9 _wcsicmp 38948 40dee7 OpenProcess 38947->38948 38949 40debd _wcsicmp 38947->38949 38948->38951 38949->38948 38950 40ded0 _wcsicmp 38949->38950 38950->38948 38950->38951 38951->38944 38951->38947 38952 40dfef CloseHandle 38951->38952 38953 40df78 38951->38953 38954 40df23 GetCurrentProcess DuplicateHandle 38951->38954 38957 40df8f CloseHandle 38951->38957 38952->38951 38953->38952 38953->38957 38958 40dfae _wcsicmp 38953->38958 38954->38951 38955 40df4c memset 38954->38955 38956 41352f 9 API calls 38955->38956 38956->38951 38957->38953 38958->38951 38958->38953 38960 409a74 GetTempFileNameW 38959->38960 38961 409a66 GetWindowsDirectoryW 38959->38961 38960->38872 38961->38960 38962->38874 38964 406bd5 38963->38964 38967 406bad 38963->38967 38966 4066bf free malloc memcpy free free 38964->38966 38972 406c0f 38964->38972 38965 406bba _wcsicmp 38965->38964 38965->38967 38968 406be5 38966->38968 38967->38964 38967->38965 38969 40afcf ??2@YAPAXI ??3@YAXPAX 38968->38969 38968->38972 38970 406bff 38969->38970 38971 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 38970->38971 38971->38972 38972->38883 38972->38884 38974 4069c4 ??3@YAXPAX 38973->38974 38975 4069af 38974->38975 38976 40b633 free 38975->38976 38977 4069ba 38976->38977 38978 40b04b ??3@YAXPAX 38977->38978 38979 4069c2 38978->38979 38979->38852 38980->38889 38981->38889 38982->38889 38983->38889 38984->38916 38985->38913 38987 40aa33 38986->38987 38988 40aa63 38986->38988 38989 40aa44 38987->38989 38990 40aa38 wcslen 38987->38990 38988->38916 38991 40a9ce malloc memcpy free free 38989->38991 38990->38989 38992 40aa4d 38991->38992 38992->38988 38993 40aa51 memcpy 38992->38993 38993->38988 38994->38916 38995->38916 38998 40a980 38996->38998 38997 40a8bb 38997->38762 38997->38763 38998->38997 38999 40a995 _wcsicmp 38998->38999 39000 40a99c wcscmp 38998->39000 38999->38998 39000->38998 39001->38766 39002->38770 39004 40aa23 RegEnumValueW 39003->39004 39004->38777 39004->38778 39006 405335 39005->39006 39007 40522a 39005->39007 39006->38362 39008 40b2cc 27 API calls 39007->39008 39009 405234 39008->39009 39010 40a804 8 API calls 39009->39010 39011 40523a 39010->39011 39050 40b273 39011->39050 39013 405248 _mbscpy _mbscat GetProcAddress 39014 40b273 27 API calls 39013->39014 39015 405279 39014->39015 39053 405211 GetProcAddress 39015->39053 39017 405282 39018 40b273 27 API calls 39017->39018 39019 40528f 39018->39019 39054 405211 GetProcAddress 39019->39054 39021 405298 39022 40b273 27 API calls 39021->39022 39023 4052a5 39022->39023 39055 405211 GetProcAddress 39023->39055 39025 4052ae 39026 40b273 27 API calls 39025->39026 39027 4052bb 39026->39027 39056 405211 GetProcAddress 39027->39056 39029 4052c4 39030 40b273 27 API calls 39029->39030 39031 4052d1 39030->39031 39057 405211 GetProcAddress 39031->39057 39033 4052da 39034 40b273 27 API calls 39033->39034 39035 4052e7 39034->39035 39058 405211 GetProcAddress 39035->39058 39037 4052f0 39038 40b273 27 API calls 39037->39038 39039 4052fd 39038->39039 39051 40b58d 27 API calls 39050->39051 39052 40b18c 39051->39052 39052->39013 39053->39017 39054->39021 39055->39025 39056->39029 39057->39033 39058->39037 39063 405220 39 API calls 39062->39063 39064 405369 39063->39064 39064->38795 39064->38796 39065->38798 39066->38802 39067->38799 39068->38796 39070 40440c FreeLibrary 39069->39070 39071 40436d 39070->39071 39072 40a804 8 API calls 39071->39072 39073 404377 39072->39073 39074 404383 39073->39074 39075 404405 39073->39075 39076 40b273 27 API calls 39074->39076 39075->38368 39075->38369 39075->38373 39077 40438d GetProcAddress 39076->39077 39078 40b273 27 API calls 39077->39078 39079 4043a7 GetProcAddress 39078->39079 39080 40b273 27 API calls 39079->39080 39081 4043ba GetProcAddress 39080->39081 39082 40b273 27 API calls 39081->39082 39083 4043ce GetProcAddress 39082->39083 39084 40b273 27 API calls 39083->39084 39085 4043e2 GetProcAddress 39084->39085 39086 4043f1 39085->39086 39087 4043f7 39086->39087 39088 40440c FreeLibrary 39086->39088 39087->39075 39088->39075 39090 404413 FreeLibrary 39089->39090 39091 40441e 39089->39091 39090->39091 39091->38384 39092->38381 39094 40447e 39093->39094 39095 40442e 39093->39095 39096 404485 CryptUnprotectData 39094->39096 39097 40449c 39094->39097 39098 40b2cc 27 API calls 39095->39098 39096->39097 39097->38381 39099 404438 39098->39099 39100 40a804 8 API calls 39099->39100 39101 40443e 39100->39101 39102 404445 39101->39102 39103 404467 39101->39103 39104 40b273 27 API calls 39102->39104 39103->39094 39105 404475 FreeLibrary 39103->39105 39106 40444f GetProcAddress 39104->39106 39105->39094 39106->39103 39107 404460 39106->39107 39107->39103 39109 4135f6 39108->39109 39110 4135eb FreeLibrary 39108->39110 39109->38387 39110->39109 39112 4449c4 39111->39112 39113 444a52 39111->39113 39114 40b2cc 27 API calls 39112->39114 39113->38404 39113->38405 39115 4449cb 39114->39115 39116 40a804 8 API calls 39115->39116 39117 4449d1 39116->39117 39118 40b273 27 API calls 39117->39118 39119 4449dc GetProcAddress 39118->39119 39132->38415 39133->38415 39134->38415 39135->38415 39136->38406 39138 403a29 39137->39138 39152 403bed memset memset 39138->39152 39140 403a2f 39141 403ae7 39140->39141 39142 403a3f memset 39140->39142 39145 409b98 GetFileAttributesW 39140->39145 39146 40a8d0 7 API calls 39140->39146 39147 409d1f 6 API calls 39140->39147 39165 40b1ab free free 39141->39165 39142->39140 39144 403aef 39144->38422 39145->39140 39146->39140 39147->39140 39149 40a051 GetFileTime CloseHandle 39148->39149 39150 4039ca CompareFileTime 39148->39150 39149->39150 39150->38422 39151->38421 39153 414c2e 17 API calls 39152->39153 39154 403c38 39153->39154 39155 409719 2 API calls 39154->39155 39156 403c3f wcscat 39155->39156 39157 414c2e 17 API calls 39156->39157 39158 403c61 39157->39158 39159 409719 2 API calls 39158->39159 39160 403c68 wcscat 39159->39160 39166 403af5 39160->39166 39163 403af5 20 API calls 39164 403c95 39163->39164 39164->39140 39165->39144 39167 403b02 39166->39167 39168 40ae18 9 API calls 39167->39168 39176 403b37 39168->39176 39169 403bdb 39170 40aebe FindClose 39169->39170 39171 403be6 39170->39171 39171->39163 39172 40ae18 9 API calls 39172->39176 39173 40ae51 9 API calls 39173->39176 39174 40add4 wcscmp wcscmp 39174->39176 39175 40aebe FindClose 39175->39176 39176->39169 39176->39172 39176->39173 39176->39174 39176->39175 39177 40a8d0 7 API calls 39176->39177 39177->39176 39179 409d1f 6 API calls 39178->39179 39180 404190 39179->39180 39193 409b98 GetFileAttributesW 39180->39193 39182 40419c 39183 4041a7 6 API calls 39182->39183 39184 40435c 39182->39184 39186 40424f 39183->39186 39184->38449 39186->39184 39187 40425e memset 39186->39187 39189 409d1f 6 API calls 39186->39189 39190 40a8ab 9 API calls 39186->39190 39194 414842 39186->39194 39187->39186 39188 404296 wcscpy 39187->39188 39188->39186 39189->39186 39191 4042b6 memset memset _snwprintf wcscpy 39190->39191 39191->39186 39192->38447 39193->39182 39197 41443e 39194->39197 39196 414866 39196->39186 39198 41444b 39197->39198 39199 414451 39198->39199 39200 4144a3 GetPrivateProfileStringW 39198->39200 39201 414491 39199->39201 39202 414455 wcschr 39199->39202 39200->39196 39203 414495 WritePrivateProfileStringW 39201->39203 39202->39201 39204 414463 _snwprintf 39202->39204 39203->39196 39204->39203 39205->38453 39207 40b2cc 27 API calls 39206->39207 39208 409615 39207->39208 39209 409d1f 6 API calls 39208->39209 39210 409625 39209->39210 39235 409b98 GetFileAttributesW 39210->39235 39212 409634 39213 409648 39212->39213 39236 4091b8 memset 39212->39236 39215 40b2cc 27 API calls 39213->39215 39217 408801 39213->39217 39216 40965d 39215->39216 39218 409d1f 6 API calls 39216->39218 39217->38456 39217->38484 39219 40966d 39218->39219 39288 409b98 GetFileAttributesW 39219->39288 39221 40967c 39221->39217 39222 409681 39221->39222 39289 409529 72 API calls 39222->39289 39224 409690 39224->39217 39235->39212 39290 40a6e6 WideCharToMultiByte 39236->39290 39238 409202 39291 444432 39238->39291 39241 40b273 27 API calls 39242 409236 39241->39242 39337 438552 39242->39337 39268 40951d 39268->39213 39288->39221 39289->39224 39290->39238 39387 4438b5 39291->39387 39293 44444c 39294 409215 39293->39294 39401 415a6d 39293->39401 39294->39241 39294->39268 39296 4442e6 11 API calls 39298 44469e 39296->39298 39297 444486 39299 4444b9 memcpy 39297->39299 39336 4444a4 39297->39336 39298->39294 39301 443d90 111 API calls 39298->39301 39405 415258 39299->39405 39301->39294 39336->39296 39519 438460 39337->39519 39388 4438d0 39387->39388 39398 4438c9 39387->39398 39475 415378 memcpy memcpy 39388->39475 39398->39293 39402 415a77 39401->39402 39403 415a8d 39402->39403 39404 415a7e memset 39402->39404 39403->39297 39404->39403 39406 4438b5 11 API calls 39405->39406 39531 41703f 39519->39531 39532 417044 39531->39532 39533 41705c 39531->39533 39535 416760 11 API calls 39532->39535 39537 417055 39532->39537 39534 417075 39533->39534 39536 41707a 11 API calls 39533->39536 39535->39537 39536->39532 39658 413f4f 39631->39658 39634 413f37 K32GetModuleFileNameExW 39635 413f4a 39634->39635 39635->38516 39637 413969 wcscpy 39636->39637 39638 41396c wcschr 39636->39638 39648 413a3a 39637->39648 39638->39637 39640 41398e 39638->39640 39663 4097f7 wcslen wcslen _memicmp 39640->39663 39642 41399a 39643 4139a4 memset 39642->39643 39644 4139e6 39642->39644 39664 409dd5 GetWindowsDirectoryW wcscpy 39643->39664 39646 413a31 wcscpy 39644->39646 39647 4139ec memset 39644->39647 39646->39648 39665 409dd5 GetWindowsDirectoryW wcscpy 39647->39665 39648->38516 39649 4139c9 wcscpy wcscat 39649->39648 39651 413a11 memcpy wcscat 39651->39648 39653 413cb0 GetModuleHandleW 39652->39653 39654 413cda 39652->39654 39653->39654 39657 413cbf GetProcAddress 39653->39657 39655 413ce3 GetProcessTimes 39654->39655 39656 413cf6 39654->39656 39655->38518 39656->38518 39657->39654 39659 413f2f 39658->39659 39660 413f54 39658->39660 39659->39634 39659->39635 39661 40a804 8 API calls 39660->39661 39662 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39661->39662 39662->39659 39663->39642 39664->39649 39665->39651 39666->38538 39667->38561 39669 409cf9 GetVersionExW 39668->39669 39670 409d0a 39668->39670 39669->39670 39670->38568 39670->38572 39671->38573 39672->38578 39673->38580 39674->38646 39676 40bba5 39675->39676 39720 40cc26 39676->39720 39679 40bd4b 39741 40cc0c 39679->39741 39684 40b2cc 27 API calls 39685 40bbef 39684->39685 39748 40ccf0 _wcsicmp 39685->39748 39687 40bbf5 39687->39679 39749 40ccb4 6 API calls 39687->39749 39689 40bc26 39690 40cf04 17 API calls 39689->39690 39691 40bc2e 39690->39691 39692 40bd43 39691->39692 39693 40b2cc 27 API calls 39691->39693 39694 40cc0c 4 API calls 39692->39694 39695 40bc40 39693->39695 39694->39679 39750 40ccf0 _wcsicmp 39695->39750 39697 40bc46 39697->39692 39698 40bc61 memset memset WideCharToMultiByte 39697->39698 39751 40103c strlen 39698->39751 39700 40bcc0 39701 40b273 27 API calls 39700->39701 39702 40bcd0 memcmp 39701->39702 39702->39692 39703 40bce2 39702->39703 39704 404423 38 API calls 39703->39704 39705 40bd10 39704->39705 39705->39692 39706 40bd3a LocalFree 39705->39706 39707 40bd1f memcpy 39705->39707 39706->39692 39707->39706 39708->38661 39709->38697 39710->38697 39711->38697 39712->38697 39713->38697 39714->38697 39715->38697 39716->38697 39717->38697 39718->38673 39719->38694 39752 4096c3 CreateFileW 39720->39752 39722 40cc34 39723 40cc3d GetFileSize 39722->39723 39731 40bbca 39722->39731 39724 40afcf 2 API calls 39723->39724 39725 40cc64 39724->39725 39753 40a2ef ReadFile 39725->39753 39727 40cc71 39754 40ab4a MultiByteToWideChar 39727->39754 39729 40cc95 CloseHandle 39730 40b04b ??3@YAXPAX 39729->39730 39730->39731 39731->39679 39732 40cf04 39731->39732 39733 40b633 free 39732->39733 39734 40cf14 39733->39734 39760 40b1ab free free 39734->39760 39736 40bbdd 39736->39679 39736->39684 39737 40cf1b 39737->39736 39738 40cfef 39737->39738 39761 40cd4b 39737->39761 39740 40cd4b 14 API calls 39738->39740 39740->39736 39742 40b633 free 39741->39742 39743 40cc15 39742->39743 39744 40aa04 free 39743->39744 39745 40cc1d 39744->39745 39802 40b1ab free free 39745->39802 39747 40b7d4 memset CreateFileW 39747->38652 39747->38653 39748->39687 39749->39689 39750->39697 39751->39700 39752->39722 39753->39727 39755 40ab6b 39754->39755 39759 40ab93 39754->39759 39756 40a9ce 4 API calls 39755->39756 39757 40ab74 39756->39757 39758 40ab7c MultiByteToWideChar 39757->39758 39758->39759 39759->39729 39760->39737 39762 40cd7b 39761->39762 39763 40aa29 6 API calls 39762->39763 39767 40cd89 39763->39767 39764 40cef5 39765 40aa04 free 39764->39765 39766 40cefd 39765->39766 39766->39737 39767->39764 39768 40aa29 6 API calls 39767->39768 39769 40ce1d 39768->39769 39770 40aa29 6 API calls 39769->39770 39771 40ce3e 39770->39771 39772 40ce6a 39771->39772 39795 40abb7 wcslen memmove 39771->39795 39773 40ce9f 39772->39773 39798 40abb7 wcslen memmove 39772->39798 39776 40a8d0 7 API calls 39773->39776 39779 40ceb5 39776->39779 39777 40ce56 39796 40aa71 wcslen 39777->39796 39778 40ce8b 39799 40aa71 wcslen 39778->39799 39784 40a8d0 7 API calls 39779->39784 39782 40ce5e 39797 40abb7 wcslen memmove 39782->39797 39786 40cecb 39784->39786 39785 40ce93 39800 40abb7 wcslen memmove 39785->39800 39801 40d00b malloc memcpy free free 39786->39801 39789 40cedd 39790 40aa04 free 39789->39790 39791 40cee5 39790->39791 39792 40aa04 free 39791->39792 39793 40ceed 39792->39793 39794 40aa04 free 39793->39794 39794->39764 39795->39777 39796->39782 39797->39772 39798->39778 39799->39785 39800->39773 39801->39789 39802->39747 39803->38713 39804->38721 39805 4415ea 39813 4304b2 39805->39813 39807 4415fe 39808 4418ea 39807->39808 39809 4418e2 39807->39809 39812 442bd4 39807->39812 39809->39808 39860 4414a9 12 API calls 39809->39860 39812->39808 39861 441409 memset 39812->39861 39862 43041c 12 API calls 39813->39862 39815 4304cd 39820 430557 39815->39820 39863 43034a memcpy 39815->39863 39817 4304f3 39817->39820 39864 430468 11 API calls 39817->39864 39819 430506 39819->39820 39821 43057b 39819->39821 39865 43817e 39819->39865 39820->39807 39822 415a91 memset 39821->39822 39824 430584 39822->39824 39824->39820 39870 4397fd memset 39824->39870 39826 4305e4 39826->39820 39871 4328e4 12 API calls 39826->39871 39828 43052d 39828->39820 39828->39821 39831 430542 39828->39831 39830 4305fa 39832 430609 39830->39832 39872 423383 11 API calls 39830->39872 39831->39820 39869 4169a7 11 API calls 39831->39869 39873 423330 11 API calls 39832->39873 39835 430634 39874 423399 11 API calls 39835->39874 39837 430648 39875 4233ae 11 API calls 39837->39875 39839 43066b 39876 423330 11 API calls 39839->39876 39841 43067d 39877 4233ae 11 API calls 39841->39877 39843 430695 39878 423330 11 API calls 39843->39878 39845 4306d6 39880 423330 11 API calls 39845->39880 39846 4306a7 39846->39845 39848 4306c0 39846->39848 39879 4233ae 11 API calls 39848->39879 39849 4306d1 39881 430369 17 API calls 39849->39881 39852 4306f3 39882 423330 11 API calls 39852->39882 39854 430704 39883 423330 11 API calls 39854->39883 39856 430710 39884 423330 11 API calls 39856->39884 39858 43071e 39885 423383 11 API calls 39858->39885 39860->39808 39861->39812 39862->39815 39863->39817 39864->39819 39866 438187 39865->39866 39868 438192 39865->39868 39886 4380f6 39866->39886 39868->39828 39869->39820 39870->39826 39871->39830 39872->39832 39873->39835 39874->39837 39875->39839 39876->39841 39877->39843 39878->39846 39879->39849 39880->39849 39881->39852 39882->39854 39883->39856 39884->39858 39885->39820 39888 43811f 39886->39888 39887 438164 39887->39868 39888->39887 39891 437e5e 39888->39891 39914 4300e8 memset memset memcpy 39888->39914 39915 437d3c 39891->39915 39893 437eb3 39893->39888 39894 437ea9 39894->39893 39900 437f22 39894->39900 39930 41f432 39894->39930 39897 437f06 39980 415c56 11 API calls 39897->39980 39899 437f95 39981 415c56 11 API calls 39899->39981 39901 437f7f 39900->39901 39902 432d4e 3 API calls 39900->39902 39901->39899 39903 43802b 39901->39903 39902->39901 39941 4165ff 39903->39941 39909 43806b 39910 438094 39909->39910 39982 42f50e 138 API calls 39909->39982 39911 437fa3 39910->39911 39983 4300e8 memset memset memcpy 39910->39983 39911->39893 39984 41f638 104 API calls 39911->39984 39914->39888 39916 437d69 39915->39916 39919 437d80 39915->39919 39985 437ccb 11 API calls 39916->39985 39918 437d76 39918->39894 39919->39918 39920 437da3 39919->39920 39921 437d90 39919->39921 39923 438460 134 API calls 39920->39923 39921->39918 39989 437ccb 11 API calls 39921->39989 39925 437dcb 39923->39925 39929 437de8 39925->39929 39986 444283 13 API calls 39925->39986 39927 437dfc 39987 437ccb 11 API calls 39927->39987 39988 424f26 123 API calls 39929->39988 39931 41f54d 39930->39931 39934 41f44f 39930->39934 39932 41f466 39931->39932 40019 41c635 memset memset 39931->40019 39932->39897 39932->39900 39934->39932 39939 41f50b 39934->39939 39990 41f1a5 39934->39990 40015 41c06f memcmp 39934->40015 40016 41f3b1 90 API calls 39934->40016 40017 41f398 86 API calls 39934->40017 39939->39931 39939->39932 40018 41c295 86 API calls 39939->40018 39942 4165a0 11 API calls 39941->39942 39943 41660d 39942->39943 39944 437371 39943->39944 39945 41703f 11 API calls 39944->39945 39946 437399 39945->39946 39947 43739d 39946->39947 39948 4373ac 39946->39948 40106 4446ea 11 API calls 39947->40106 39950 416935 16 API calls 39948->39950 39973 4373ca 39950->39973 39951 437584 39953 4375bc 39951->39953 40113 42453e 123 API calls 39951->40113 39952 438460 134 API calls 39952->39973 39955 415c7d 16 API calls 39953->39955 39956 4375d2 39955->39956 39958 4442e6 11 API calls 39956->39958 39960 4373a7 39956->39960 39957 4251c4 137 API calls 39957->39973 39959 4375e2 39958->39959 39959->39960 40114 444283 13 API calls 39959->40114 39960->39909 39962 415a91 memset 39962->39973 39965 43758f 40112 42453e 123 API calls 39965->40112 39968 4375f4 39971 437620 39968->39971 39972 43760b 39968->39972 39970 43759f 39974 416935 16 API calls 39970->39974 39976 416935 16 API calls 39971->39976 40115 444283 13 API calls 39972->40115 39973->39951 39973->39952 39973->39957 39973->39962 39973->39965 39979 437d3c 135 API calls 39973->39979 40107 425433 13 API calls 39973->40107 40108 425413 17 API calls 39973->40108 40109 42533e 16 API calls 39973->40109 40110 42538f 16 API calls 39973->40110 40111 42453e 123 API calls 39973->40111 39974->39951 39976->39960 39978 437612 memcpy 39978->39960 39979->39973 39980->39893 39981->39911 39982->39910 39983->39911 39984->39893 39985->39918 39986->39927 39987->39929 39988->39918 39989->39918 40020 41bc3b 39990->40020 39993 41edad 86 API calls 39994 41f1cb 39993->39994 39995 41f1f5 memcmp 39994->39995 39996 41f20e 39994->39996 40000 41f282 39994->40000 39995->39996 39997 41f21b memcmp 39996->39997 39996->40000 39998 41f326 39997->39998 40001 41f23d 39997->40001 39999 41ee6b 86 API calls 39998->39999 39998->40000 39999->40000 40000->39934 40001->39998 40002 41f28e memcmp 40001->40002 40044 41c8df 56 API calls 40001->40044 40002->39998 40003 41f2a9 40002->40003 40003->39998 40006 41f308 40003->40006 40007 41f2d8 40003->40007 40005 41f269 40005->39998 40008 41f287 40005->40008 40009 41f27a 40005->40009 40006->39998 40046 4446ce 11 API calls 40006->40046 40010 41ee6b 86 API calls 40007->40010 40008->40002 40011 41ee6b 86 API calls 40009->40011 40012 41f2e0 40010->40012 40011->40000 40045 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40012->40045 40015->39934 40016->39934 40017->39934 40018->39931 40019->39932 40021 41be0b 40020->40021 40023 41bc54 40020->40023 40024 41bd61 40021->40024 40055 41ae17 34 API calls 40021->40055 40023->40021 40023->40024 40035 41bc8d 40023->40035 40047 41baf0 55 API calls 40023->40047 40026 41be45 40024->40026 40056 41a25f memset 40024->40056 40026->39993 40026->40000 40028 41be04 40054 41aee4 56 API calls 40028->40054 40030 41bd42 40030->40024 40030->40028 40031 41bdd8 memset 40030->40031 40032 41bdba 40030->40032 40033 41bde7 memcmp 40031->40033 40043 4175ed 6 API calls 40032->40043 40033->40028 40036 41bdfd 40033->40036 40034 41bd18 40034->40024 40034->40030 40052 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40034->40052 40035->40024 40035->40030 40035->40034 40048 4151e3 40035->40048 40053 41a1b0 memset 40036->40053 40039 41bdcc 40039->40024 40039->40033 40043->40039 40044->40005 40045->40000 40046->39998 40047->40035 40057 41837f 40048->40057 40051 444706 11 API calls 40051->40034 40052->40030 40053->40028 40054->40021 40055->40024 40056->40026 40058 4183c1 40057->40058 40059 4183ca 40057->40059 40104 418197 25 API calls 40058->40104 40062 4151f9 40059->40062 40078 418160 40059->40078 40062->40034 40062->40051 40063 4183e5 40063->40062 40087 41739b 40063->40087 40066 418444 CreateFileW 40068 418477 40066->40068 40067 41845f CreateFileA 40067->40068 40069 4184c2 memset 40068->40069 40070 41847e GetLastError free 40068->40070 40090 418758 40069->40090 40071 4184b5 40070->40071 40072 418497 40070->40072 40105 444706 11 API calls 40071->40105 40074 41837f 49 API calls 40072->40074 40074->40062 40079 41739b GetVersionExW 40078->40079 40080 418165 40079->40080 40082 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 40080->40082 40083 418178 40082->40083 40084 41817f 40083->40084 40085 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 40083->40085 40084->40063 40086 418188 free 40085->40086 40086->40063 40088 4173d6 40087->40088 40089 4173ad GetVersionExW 40087->40089 40088->40066 40088->40067 40089->40088 40091 418680 43 API calls 40090->40091 40092 418782 40091->40092 40093 418160 11 API calls 40092->40093 40095 418506 free 40092->40095 40094 418799 40093->40094 40094->40095 40096 41739b GetVersionExW 40094->40096 40095->40062 40097 4187a7 40096->40097 40098 4187da 40097->40098 40099 4187ad GetDiskFreeSpaceW 40097->40099 40100 4187ec GetDiskFreeSpaceA 40098->40100 40103 4187e8 40098->40103 40102 418800 free 40099->40102 40100->40102 40102->40095 40103->40100 40104->40059 40105->40062 40106->39960 40107->39973 40108->39973 40109->39973 40110->39973 40111->39973 40112->39970 40113->39953 40114->39968 40115->39978 40116 4147f3 40119 414561 40116->40119 40118 414813 40120 41456d 40119->40120 40121 41457f GetPrivateProfileIntW 40119->40121 40124 4143f1 memset _itow WritePrivateProfileStringW 40120->40124 40121->40118 40123 41457a 40123->40118 40124->40123 40125 44def7 40126 44df07 40125->40126 40127 44df00 ??3@YAXPAX 40125->40127 40128 44df17 40126->40128 40129 44df10 ??3@YAXPAX 40126->40129 40127->40126 40130 44df27 40128->40130 40131 44df20 ??3@YAXPAX 40128->40131 40129->40128 40132 44df37 40130->40132 40133 44df30 ??3@YAXPAX 40130->40133 40131->40130 40133->40132 40134 4148b6 FindResourceW 40135 4148f9 40134->40135 40136 4148cf SizeofResource 40134->40136 40136->40135 40137 4148e0 LoadResource 40136->40137 40137->40135 40138 4148ee LockResource 40137->40138 40138->40135 40139 441b3f 40149 43a9f6 40139->40149 40141 441b61 40322 4386af memset 40141->40322 40143 44189a 40144 442bd4 40143->40144 40145 4418e2 40143->40145 40146 4418ea 40144->40146 40324 441409 memset 40144->40324 40145->40146 40323 4414a9 12 API calls 40145->40323 40150 43aa20 40149->40150 40151 43aadf 40149->40151 40150->40151 40152 43aa34 memset 40150->40152 40151->40141 40153 43aa56 40152->40153 40154 43aa4d 40152->40154 40325 43a6e7 40153->40325 40333 42c02e memset 40154->40333 40159 43aad3 40335 4169a7 11 API calls 40159->40335 40160 43aaae 40160->40151 40160->40159 40175 43aae5 40160->40175 40162 43ac18 40164 43ac47 40162->40164 40337 42bbd5 memcpy memcpy memcpy memset memcpy 40162->40337 40165 43aca8 40164->40165 40338 438eed 16 API calls 40164->40338 40169 43acd5 40165->40169 40340 4233ae 11 API calls 40165->40340 40168 43ac87 40339 4233c5 16 API calls 40168->40339 40341 423426 11 API calls 40169->40341 40173 43ace1 40342 439811 163 API calls 40173->40342 40174 43a9f6 161 API calls 40174->40175 40175->40151 40175->40162 40175->40174 40336 439bbb 22 API calls 40175->40336 40177 43acfd 40183 43ad2c 40177->40183 40343 438eed 16 API calls 40177->40343 40179 43ad19 40344 4233c5 16 API calls 40179->40344 40180 43ad58 40345 44081d 163 API calls 40180->40345 40183->40180 40185 43add9 40183->40185 40185->40185 40349 423426 11 API calls 40185->40349 40186 43ae3a memset 40187 43ae73 40186->40187 40350 42e1c0 147 API calls 40187->40350 40188 43adab 40347 438c4e 163 API calls 40188->40347 40190 43ad6c 40190->40151 40190->40188 40346 42370b memset memcpy memset 40190->40346 40192 43ae96 40351 42e1c0 147 API calls 40192->40351 40194 43adcc 40348 440f84 12 API calls 40194->40348 40197 43aea8 40198 43aec1 40197->40198 40352 42e199 147 API calls 40197->40352 40200 43af00 40198->40200 40353 42e1c0 147 API calls 40198->40353 40200->40151 40203 43af1a 40200->40203 40204 43b3d9 40200->40204 40354 438eed 16 API calls 40203->40354 40209 43b3f6 40204->40209 40216 43b4c8 40204->40216 40206 43b60f 40206->40151 40413 4393a5 17 API calls 40206->40413 40207 43af2f 40355 4233c5 16 API calls 40207->40355 40395 432878 12 API calls 40209->40395 40211 43af51 40356 423426 11 API calls 40211->40356 40214 43af7d 40357 423426 11 API calls 40214->40357 40215 43b4f2 40402 43a76c 21 API calls 40215->40402 40216->40215 40401 42bbd5 memcpy memcpy memcpy memset memcpy 40216->40401 40220 43b529 40403 44081d 163 API calls 40220->40403 40221 43af94 40358 423330 11 API calls 40221->40358 40225 43b47e 40229 43b497 40225->40229 40398 42374a memcpy memset memcpy memcpy memcpy 40225->40398 40226 43b544 40230 43b55c 40226->40230 40404 42c02e memset 40226->40404 40227 43b428 40248 43b462 40227->40248 40396 432b60 16 API calls 40227->40396 40228 43afca 40359 423330 11 API calls 40228->40359 40399 4233ae 11 API calls 40229->40399 40405 43a87a 163 API calls 40230->40405 40235 43afdb 40360 4233ae 11 API calls 40235->40360 40237 43b4b1 40400 423399 11 API calls 40237->40400 40239 43b56c 40249 43b58a 40239->40249 40406 423330 11 API calls 40239->40406 40241 43afee 40361 44081d 163 API calls 40241->40361 40243 43b4c1 40409 42db80 163 API calls 40243->40409 40247 43b592 40408 43a82f 16 API calls 40247->40408 40397 423330 11 API calls 40248->40397 40407 440f84 12 API calls 40249->40407 40252 43b5b4 40410 438c4e 163 API calls 40252->40410 40254 43b5cf 40411 42c02e memset 40254->40411 40256 43b005 40256->40151 40259 43b01f 40256->40259 40362 42d836 163 API calls 40256->40362 40257 43b1ef 40372 4233c5 16 API calls 40257->40372 40259->40257 40370 423330 11 API calls 40259->40370 40371 42d71d 163 API calls 40259->40371 40260 43b212 40373 423330 11 API calls 40260->40373 40263 43add4 40263->40206 40412 438f86 16 API calls 40263->40412 40266 43b087 40363 4233ae 11 API calls 40266->40363 40267 43b22a 40374 42ccb5 11 API calls 40267->40374 40270 43b10f 40366 423330 11 API calls 40270->40366 40271 43b23f 40375 4233ae 11 API calls 40271->40375 40273 43b257 40376 4233ae 11 API calls 40273->40376 40277 43b26e 40377 4233ae 11 API calls 40277->40377 40278 43b129 40367 4233ae 11 API calls 40278->40367 40281 43b09a 40281->40270 40364 42cc15 19 API calls 40281->40364 40365 4233ae 11 API calls 40281->40365 40282 43b282 40378 43a87a 163 API calls 40282->40378 40284 43b13c 40368 440f84 12 API calls 40284->40368 40286 43b29d 40379 423330 11 API calls 40286->40379 40289 43b15f 40369 4233ae 11 API calls 40289->40369 40290 43b2af 40292 43b2b8 40290->40292 40293 43b2ce 40290->40293 40380 4233ae 11 API calls 40292->40380 40381 440f84 12 API calls 40293->40381 40296 43b2c9 40383 4233ae 11 API calls 40296->40383 40297 43b2da 40382 42370b memset memcpy memset 40297->40382 40300 43b2f9 40384 423330 11 API calls 40300->40384 40302 43b30b 40385 423330 11 API calls 40302->40385 40304 43b325 40386 423399 11 API calls 40304->40386 40306 43b332 40387 4233ae 11 API calls 40306->40387 40308 43b354 40388 423399 11 API calls 40308->40388 40310 43b364 40389 43a82f 16 API calls 40310->40389 40312 43b370 40390 42db80 163 API calls 40312->40390 40314 43b380 40391 438c4e 163 API calls 40314->40391 40316 43b39e 40392 423399 11 API calls 40316->40392 40318 43b3ae 40393 43a76c 21 API calls 40318->40393 40320 43b3c3 40394 423399 11 API calls 40320->40394 40322->40143 40323->40146 40324->40144 40326 43a6f5 40325->40326 40327 43a765 40325->40327 40326->40327 40414 42a115 40326->40414 40327->40151 40334 4397fd memset 40327->40334 40331 43a73d 40331->40327 40332 42a115 147 API calls 40331->40332 40332->40327 40333->40153 40334->40160 40335->40151 40336->40175 40337->40164 40338->40168 40339->40165 40340->40169 40341->40173 40342->40177 40343->40179 40344->40183 40345->40190 40346->40188 40347->40194 40348->40263 40349->40186 40350->40192 40351->40197 40352->40198 40353->40198 40354->40207 40355->40211 40356->40214 40357->40221 40358->40228 40359->40235 40360->40241 40361->40256 40362->40266 40363->40281 40364->40281 40365->40281 40366->40278 40367->40284 40368->40289 40369->40259 40370->40259 40371->40259 40372->40260 40373->40267 40374->40271 40375->40273 40376->40277 40377->40282 40378->40286 40379->40290 40380->40296 40381->40297 40382->40296 40383->40300 40384->40302 40385->40304 40386->40306 40387->40308 40388->40310 40389->40312 40390->40314 40391->40316 40392->40318 40393->40320 40394->40263 40395->40227 40396->40248 40397->40225 40398->40229 40399->40237 40400->40243 40401->40215 40402->40220 40403->40226 40404->40230 40405->40239 40406->40249 40407->40247 40408->40243 40409->40252 40410->40254 40411->40263 40412->40206 40413->40151 40415 42a175 40414->40415 40417 42a122 40414->40417 40415->40327 40420 42b13b 147 API calls 40415->40420 40417->40415 40418 42a115 147 API calls 40417->40418 40421 43a174 40417->40421 40445 42a0a8 147 API calls 40417->40445 40418->40417 40420->40331 40435 43a196 40421->40435 40436 43a19e 40421->40436 40422 43a306 40422->40435 40458 4388c4 14 API calls 40422->40458 40425 42a115 147 API calls 40425->40436 40426 415a91 memset 40426->40436 40427 43a642 40427->40435 40462 4169a7 11 API calls 40427->40462 40429 4165ff 11 API calls 40429->40436 40431 43a635 40461 42c02e memset 40431->40461 40435->40417 40436->40422 40436->40425 40436->40426 40436->40429 40436->40435 40446 42ff8c 40436->40446 40454 439504 13 API calls 40436->40454 40455 4312d0 147 API calls 40436->40455 40456 42be4c memcpy memcpy memcpy memset memcpy 40436->40456 40457 43a121 11 API calls 40436->40457 40438 4169a7 11 API calls 40439 43a325 40438->40439 40439->40427 40439->40431 40439->40435 40439->40438 40440 42b5b5 memset memcpy 40439->40440 40441 42bf4c 14 API calls 40439->40441 40444 4165ff 11 API calls 40439->40444 40459 42b63e 14 API calls 40439->40459 40460 42bfcf memcpy 40439->40460 40440->40439 40441->40439 40444->40439 40445->40417 40447 43817e 139 API calls 40446->40447 40448 42ff99 40447->40448 40449 42ffe3 40448->40449 40450 42ffd0 40448->40450 40453 42ff9d 40448->40453 40464 4169a7 11 API calls 40449->40464 40463 4169a7 11 API calls 40450->40463 40453->40436 40454->40436 40455->40436 40456->40436 40457->40436 40458->40439 40459->40439 40460->40439 40461->40427 40462->40435 40463->40453 40464->40453 40465 441819 40468 430737 40465->40468 40467 441825 40469 430756 40468->40469 40481 43076d 40468->40481 40470 430774 40469->40470 40471 43075f 40469->40471 40483 43034a memcpy 40470->40483 40482 4169a7 11 API calls 40471->40482 40474 4307ce 40476 430819 memset 40474->40476 40484 415b2c 11 API calls 40474->40484 40475 43077e 40475->40474 40479 4307fa 40475->40479 40475->40481 40476->40481 40478 4307e9 40478->40476 40478->40481 40485 4169a7 11 API calls 40479->40485 40481->40467 40482->40481 40483->40475 40484->40478 40485->40481 40486 41493c EnumResourceNamesW

                                                                                                                        Executed Functions

                                                                                                                        Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040DDAD
                                                                                                                          • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                          • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                          • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                        • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                        • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                        • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                        • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                        • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                        • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                        • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                        • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                        • memset.MSVCRT ref: 0040DF5F
                                                                                                                        • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                        • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                        • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                        • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                        • API String ID: 708747863-3398334509
                                                                                                                        • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                        • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                        • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                        • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                        Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                          • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                          • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                        • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                        • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                        • free.MSVCRT ref: 00418803
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1355100292-0
                                                                                                                        • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                        • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                        • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                        • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                        Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                        • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 767404330-0
                                                                                                                        • Opcode ID: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                                        • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                        • Opcode Fuzzy Hash: 91f5c8417cc05eb5371089ee99512099cd95d68580e827c1857cd6a30ed1daf0
                                                                                                                        • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                        Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                        • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFind$FirstNext
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1690352074-0
                                                                                                                        • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                        • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                        • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                        • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                        Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0041898C
                                                                                                                        • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InfoSystemmemset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3558857096-0
                                                                                                                        • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                        • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                        • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                        • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                        Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 41 445823-445826 14->41 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 50 445879-44587c 18->50 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 32 445605-445607 22->32 33 445603 22->33 30 4459f2-4459fa 23->30 31 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->31 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 43 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 30->43 44 445b29-445b32 30->44 145 4459d0-4459e8 call 40b6ef 31->145 146 4459ed 31->146 32->21 37 445609-44560d 32->37 33->32 37->21 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 37->48 38->3 39->38 51 44584c-445854 call 40b1ab 41->51 52 445828 41->52 182 445b08-445b15 call 40ae51 43->182 53 445c7c-445c85 44->53 54 445b38-445b96 memset * 3 44->54 156 445665-445670 call 40b1ab 48->156 157 445643-445663 call 40a9b5 call 4087b3 48->157 64 4458a2-4458aa call 40b1ab 50->64 65 44587e 50->65 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 82 445fae-445fb2 60->82 83 445d2b-445d3b 60->83 160 445cf5 61->160 161 445cfc-445d03 61->161 64->19 75 445884-44589d call 40a9b5 call 4087b3 65->75 143 445849 66->143 249 445c77 67->249 68->67 76 445ba2-445bcf call 4099c6 call 445403 call 445389 68->76 148 44589f 75->148 76->53 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 110 4456ba-4456c4 78->110 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 193 445e17 99->193 194 445e1e-445e25 99->194 123 4457f9 110->123 124 4456ca-4456d3 call 413cfa call 413d4c 110->124 123->6 174 4456d8-4456f7 call 40b2cc call 413fa6 124->174 140->141 141->23 143->51 145->146 146->30 148->64 150->78 150->93 156->110 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->60 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 193->194 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 194->198 199 445e6b-445e7e call 445093 194->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->44 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 254 445f9b 220->254 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->53 254->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004455C2
                                                                                                                        • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                        • memset.MSVCRT ref: 0044570D
                                                                                                                        • memset.MSVCRT ref: 00445725
                                                                                                                          • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                          • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                          • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                          • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                          • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                          • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                          • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                          • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                        • memset.MSVCRT ref: 0044573D
                                                                                                                        • memset.MSVCRT ref: 00445755
                                                                                                                        • memset.MSVCRT ref: 004458CB
                                                                                                                        • memset.MSVCRT ref: 004458E3
                                                                                                                        • memset.MSVCRT ref: 0044596E
                                                                                                                        • memset.MSVCRT ref: 00445A10
                                                                                                                        • memset.MSVCRT ref: 00445A28
                                                                                                                        • memset.MSVCRT ref: 00445AC6
                                                                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                          • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                          • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                          • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                          • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                          • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                        • memset.MSVCRT ref: 00445B52
                                                                                                                        • memset.MSVCRT ref: 00445B6A
                                                                                                                        • memset.MSVCRT ref: 00445C9B
                                                                                                                        • memset.MSVCRT ref: 00445CB3
                                                                                                                        • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                        • memset.MSVCRT ref: 00445B82
                                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                          • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                          • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                        • memset.MSVCRT ref: 00445986
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                        • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                        • API String ID: 1963886904-3798722523
                                                                                                                        • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                        • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                        • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                        • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                        Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                          • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                          • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                          • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                        • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                                        • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                        • String ID: $/deleteregkey$/savelangfile
                                                                                                                        • API String ID: 2744995895-28296030
                                                                                                                        • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                        • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                        • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                        • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                        Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040B71C
                                                                                                                          • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                          • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                        • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                        • memset.MSVCRT ref: 0040B756
                                                                                                                        • memset.MSVCRT ref: 0040B7F5
                                                                                                                        • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                        • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                        • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                        • memset.MSVCRT ref: 0040B851
                                                                                                                        • memset.MSVCRT ref: 0040B8CA
                                                                                                                        • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                          • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                          • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                        • memset.MSVCRT ref: 0040BB53
                                                                                                                        • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                        • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                        • String ID: chp$v10
                                                                                                                        • API String ID: 1297422669-2783969131
                                                                                                                        • Opcode ID: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                                        • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                        • Opcode Fuzzy Hash: 544f7529f0c4d3a53e9c457f8d9cabf322a2e4b31897d0a2c4cc607292de5a12
                                                                                                                        • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                        Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 553 40e3c3-40e3c6 550->553 551->552 554 40e416-40e427 memcpy 552->554 555 40e42a-40e42f 552->555 553->541 554->555 556 40e431-40e442 memcpy 555->556 557 40e445-40e44a 555->557 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                        • free.MSVCRT ref: 0040E49A
                                                                                                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                        • memset.MSVCRT ref: 0040E380
                                                                                                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                          • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                        • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                        • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                        • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                                                                                                        • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                                                                                                        • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                        • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                        • API String ID: 3849927982-2252543386
                                                                                                                        • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                        • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                        • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                        • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                        Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004091E2
                                                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                        • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                        • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                        • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                        • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                        • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                        • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                        • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                        • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                        • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                        • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                        • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3715365532-3916222277
                                                                                                                        • Opcode ID: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                                        • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                        • Opcode Fuzzy Hash: 1c524b1582e21d5cf33c38ae172dfd569e4d92201c70e2bcc6981c46efb40b80
                                                                                                                        • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                        Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                        • memset.MSVCRT ref: 00413D7F
                                                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                        • memset.MSVCRT ref: 00413E07
                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                        • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                        • free.MSVCRT ref: 00413EC1
                                                                                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                        • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                        • API String ID: 1344430650-1740548384
                                                                                                                        • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                        • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                        • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                        • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                        Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                          • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                          • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                          • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                          • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                          • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                        • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                        • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                        • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                        • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                          • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                          • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                          • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                          • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                        • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                        • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                        • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                        • String ID: bhv
                                                                                                                        • API String ID: 4234240956-2689659898
                                                                                                                        • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                        • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                        • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                        • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                        Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                        • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                        • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                        • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                        • API String ID: 2941347001-70141382
                                                                                                                        • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                        • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                        • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                        • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                        Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040C298
                                                                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                          • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                        • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                        • wcschr.MSVCRT ref: 0040C324
                                                                                                                        • wcschr.MSVCRT ref: 0040C344
                                                                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                        • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                        • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                        • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                        • String ID: visited:
                                                                                                                        • API String ID: 2470578098-1702587658
                                                                                                                        • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                        • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                        • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                        • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                        Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1fa call 406e8f 726->729 733 40e270-40e27d call 406b53 729->733 734 40e1fc-40e219 call 40dd50 * 2 729->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                        • memset.MSVCRT ref: 0040E1BD
                                                                                                                          • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                        • free.MSVCRT ref: 0040E28B
                                                                                                                          • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                          • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                          • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                        • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                        • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                        • API String ID: 2804212203-2982631422
                                                                                                                        • Opcode ID: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                        • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                        • Opcode Fuzzy Hash: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                        • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                        Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                                        • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                        • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                        • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                        • String ID: AE$BIN
                                                                                                                        • API String ID: 1668488027-3931574542
                                                                                                                        • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                        • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                        • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                        • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                        Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                          • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                          • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                        • memset.MSVCRT ref: 0040BC75
                                                                                                                        • memset.MSVCRT ref: 0040BC8C
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                        • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                        • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                        • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 115830560-3916222277
                                                                                                                        • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                        • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                        • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                        • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                        Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 852 418506-418515 free 845->852 846->845 852->830
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                        • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                        • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                        • free.MSVCRT ref: 0041848B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile$ErrorLastfree
                                                                                                                        • String ID: |A
                                                                                                                        • API String ID: 77810686-1717621600
                                                                                                                        • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                        • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                        • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                        • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                        Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0041249C
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                        • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                        • wcscpy.MSVCRT ref: 004125A0
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                        • String ID: r!A
                                                                                                                        • API String ID: 2791114272-628097481
                                                                                                                        • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                        • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                        • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                        • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                        Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                          • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                          • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                          • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                          • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                          • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                          • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                          • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                          • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                          • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                        • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                          • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                          • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                        • wcslen.MSVCRT ref: 0040C82C
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                        • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                        • API String ID: 2936932814-4196376884
                                                                                                                        • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                        • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                        • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                        • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                        Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040A824
                                                                                                                        • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                        • wcscpy.MSVCRT ref: 0040A854
                                                                                                                        • wcscat.MSVCRT ref: 0040A86A
                                                                                                                        • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                        • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                        • String ID: C:\Windows\system32
                                                                                                                        • API String ID: 669240632-2896066436
                                                                                                                        • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                        • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                        • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                        • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                        Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                          • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                        • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                        • wcslen.MSVCRT ref: 0040BE06
                                                                                                                        • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                        • memset.MSVCRT ref: 0040BE91
                                                                                                                        • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                        • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                        • wcschr.MSVCRT ref: 0040BF24
                                                                                                                        • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 697348961-0
                                                                                                                        • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                        • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                        • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                        • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                        Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00403CBF
                                                                                                                        • memset.MSVCRT ref: 00403CD4
                                                                                                                        • memset.MSVCRT ref: 00403CE9
                                                                                                                        • memset.MSVCRT ref: 00403CFE
                                                                                                                        • memset.MSVCRT ref: 00403D13
                                                                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                        • memset.MSVCRT ref: 00403DDA
                                                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                        • String ID: Waterfox$Waterfox\Profiles
                                                                                                                        • API String ID: 4039892925-11920434
                                                                                                                        • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                        • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                        • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                        • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                        Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00403E50
                                                                                                                        • memset.MSVCRT ref: 00403E65
                                                                                                                        • memset.MSVCRT ref: 00403E7A
                                                                                                                        • memset.MSVCRT ref: 00403E8F
                                                                                                                        • memset.MSVCRT ref: 00403EA4
                                                                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                        • memset.MSVCRT ref: 00403F6B
                                                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                        • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                        • API String ID: 4039892925-2068335096
                                                                                                                        • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                        • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                        • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                        • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                        Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00403FE1
                                                                                                                        • memset.MSVCRT ref: 00403FF6
                                                                                                                        • memset.MSVCRT ref: 0040400B
                                                                                                                        • memset.MSVCRT ref: 00404020
                                                                                                                        • memset.MSVCRT ref: 00404035
                                                                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                          • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                          • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                          • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                        • memset.MSVCRT ref: 004040FC
                                                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                        • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                        • API String ID: 4039892925-3369679110
                                                                                                                        • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                        • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                        • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                        • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                        Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpy
                                                                                                                        • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                        • API String ID: 3510742995-2641926074
                                                                                                                        • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                        • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                        • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                        • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                        Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                          • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                          • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                        • memset.MSVCRT ref: 004033B7
                                                                                                                        • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                        • wcscmp.MSVCRT ref: 004033FC
                                                                                                                        • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                        • String ID: $0.@
                                                                                                                        • API String ID: 2758756878-1896041820
                                                                                                                        • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                        • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                        • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                        • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                        Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2941347001-0
                                                                                                                        • Opcode ID: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                                        • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                        • Opcode Fuzzy Hash: 80e482451f5ca37e8404f50e4d067f365766b265f7642500ec0655012d68ebd6
                                                                                                                        • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                        Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00403C09
                                                                                                                        • memset.MSVCRT ref: 00403C1E
                                                                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                          • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                          • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                        • wcscat.MSVCRT ref: 00403C47
                                                                                                                          • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                          • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                          • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                        • wcscat.MSVCRT ref: 00403C70
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                        • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                        • API String ID: 1534475566-1174173950
                                                                                                                        • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                        • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                        • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                        • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                        Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                        • memset.MSVCRT ref: 00414C87
                                                                                                                        • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                        • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                          • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                        Strings
                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                        • API String ID: 71295984-2036018995
                                                                                                                        • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                        • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                        • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                        • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                        Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • wcschr.MSVCRT ref: 00414458
                                                                                                                        • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                        • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                        • String ID: "%s"
                                                                                                                        • API String ID: 1343145685-3297466227
                                                                                                                        • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                        • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                        • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                        • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                        Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                        • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                        • String ID: GetProcessTimes$kernel32.dll
                                                                                                                        • API String ID: 1714573020-3385500049
                                                                                                                        • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                        • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                        • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                        • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                        Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004087D6
                                                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                          • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                        • memset.MSVCRT ref: 00408828
                                                                                                                        • memset.MSVCRT ref: 00408840
                                                                                                                        • memset.MSVCRT ref: 00408858
                                                                                                                        • memset.MSVCRT ref: 00408870
                                                                                                                        • memset.MSVCRT ref: 00408888
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2911713577-0
                                                                                                                        • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                        • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                        • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                        • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                        Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                        • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                        • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcmp
                                                                                                                        • String ID: @ $SQLite format 3
                                                                                                                        • API String ID: 1475443563-3708268960
                                                                                                                        • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                        • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                        • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                        • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                        Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcsicmpqsort
                                                                                                                        • String ID: /nosort$/sort
                                                                                                                        • API String ID: 1579243037-1578091866
                                                                                                                        • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                        • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                        • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                        • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                        Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040E60F
                                                                                                                        • memset.MSVCRT ref: 0040E629
                                                                                                                          • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                        Strings
                                                                                                                        • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                        • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                        • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                        • API String ID: 2887208581-2114579845
                                                                                                                        • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                        • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                        • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                        • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                        Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                        • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3473537107-0
                                                                                                                        • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                        • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                        • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                        • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                        Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00810048), ref: 0044DF01
                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00820050), ref: 0044DF11
                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00946DB0), ref: 0044DF21
                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00820458), ref: 0044DF31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ??3@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 613200358-0
                                                                                                                        • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                        • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                        • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                        • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                        Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset
                                                                                                                        • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                        • API String ID: 2221118986-1725073988
                                                                                                                        • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                        • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                        • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                        • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                        Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                                        • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ??3@DeleteObject
                                                                                                                        • String ID: r!A
                                                                                                                        • API String ID: 1103273653-628097481
                                                                                                                        • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                        • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                        • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                        • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                        Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ??2@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1033339047-0
                                                                                                                        • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                        • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                        • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                        • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                        Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                          • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                        • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$memcmp
                                                                                                                        • String ID: $$8
                                                                                                                        • API String ID: 2808797137-435121686
                                                                                                                        • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                        • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                        • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                        • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                        Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                          • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                          • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                          • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                          • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                          • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                          • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                          • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                          • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                        • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                          • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                          • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                          • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                        • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                        • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                          • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                          • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                          • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1979745280-0
                                                                                                                        • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                        • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                        • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                        • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                        Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                          • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                          • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                        • memset.MSVCRT ref: 00403A55
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                        • String ID: history.dat$places.sqlite
                                                                                                                        • API String ID: 2641622041-467022611
                                                                                                                        • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                        • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                        • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                        • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                        Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                          • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                        • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                        • GetLastError.KERNEL32 ref: 00417627
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$File$PointerRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 839530781-0
                                                                                                                        • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                        • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                        • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                        • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                        Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileFindFirst
                                                                                                                        • String ID: *.*$index.dat
                                                                                                                        • API String ID: 1974802433-2863569691
                                                                                                                        • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                        • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                        • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                        • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                        Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                        • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                        • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ErrorLast$FilePointer
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1156039329-0
                                                                                                                        • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                        • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                        • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                        • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                        Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                        • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                        • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateHandleTime
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3397143404-0
                                                                                                                        • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                        • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                        • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                        • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                        Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                        • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1125800050-0
                                                                                                                        • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                        • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                        • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                        • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                        Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                        • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseHandleSleep
                                                                                                                        • String ID: }A
                                                                                                                        • API String ID: 252777609-2138825249
                                                                                                                        • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                        • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                        • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                        • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                        Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • malloc.MSVCRT ref: 00409A10
                                                                                                                        • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                        • free.MSVCRT ref: 00409A31
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: freemallocmemcpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3056473165-0
                                                                                                                        • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                        • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                        • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                        • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                        Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: d
                                                                                                                        • API String ID: 0-2564639436
                                                                                                                        • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                        • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                        • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                        • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                        Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset
                                                                                                                        • String ID: BINARY
                                                                                                                        • API String ID: 2221118986-907554435
                                                                                                                        • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                        • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                        • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                        • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                        Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcsicmp
                                                                                                                        • String ID: /stext
                                                                                                                        • API String ID: 2081463915-3817206916
                                                                                                                        • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                        • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                        • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                        • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                        Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                          • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                        • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2445788494-0
                                                                                                                        • Opcode ID: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                                        • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                        • Opcode Fuzzy Hash: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                                        • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                        Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: malloc
                                                                                                                        • String ID: failed to allocate %u bytes of memory
                                                                                                                        • API String ID: 2803490479-1168259600
                                                                                                                        • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                                        • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                                        • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                                        • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                                        Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0041BDDF
                                                                                                                        • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcmpmemset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1065087418-0
                                                                                                                        • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                        • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                        • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                        • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                        Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                          • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                        • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                                        • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                                          • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                          • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                          • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                          • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1381354015-0
                                                                                                                        • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                        • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                        • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                        • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                        Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2221118986-0
                                                                                                                        • Opcode ID: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                                                                                                        • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                        • Opcode Fuzzy Hash: 91f73f7a852cbb4360dbb9cf7f888a1e4609bdf8e01f9823d17442fd23f8c43f
                                                                                                                        • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                        Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1294909896-0
                                                                                                                        • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                        • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                        • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                        • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                        Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                          • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                          • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                          • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                        • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2154303073-0
                                                                                                                        • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                        • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                        • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                        • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                        Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3150196962-0
                                                                                                                        • Opcode ID: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                                        • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                        • Opcode Fuzzy Hash: be26bcaf2987f4035eeff70895753d9ab226293c41c78703657a1ba2214892b4
                                                                                                                        • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                        Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$PointerRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3154509469-0
                                                                                                                        • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                        • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                        • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                        • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                        Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                          • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                          • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                          • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4232544981-0
                                                                                                                        • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                        • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                        • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                        • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                        Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3664257935-0
                                                                                                                        • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                        • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                        • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                        • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                        Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                          • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$FileModuleName
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3859505661-0
                                                                                                                        • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                        • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                        • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                        • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                        Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2738559852-0
                                                                                                                        • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                        • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                        • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                        • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                        Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FileWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3934441357-0
                                                                                                                        • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                        • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                        • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                        • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                        Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3664257935-0
                                                                                                                        • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                        • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                        • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                        • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                        Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 823142352-0
                                                                                                                        • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                        • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                        • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                        • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                        Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 823142352-0
                                                                                                                        • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                        • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                        • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                        • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                        Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ??3@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 613200358-0
                                                                                                                        • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                        • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                        • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                        • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                        Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3664257935-0
                                                                                                                        • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                        • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                        • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                        • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                        Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: EnumNamesResource
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3334572018-0
                                                                                                                        • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                        • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                        • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                        • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                        Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FreeLibrary
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3664257935-0
                                                                                                                        • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                        • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                        • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                        • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                        Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CloseFind
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1863332320-0
                                                                                                                        • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                        • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                        • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                        • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                        Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Open
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 71445658-0
                                                                                                                        • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                        • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                        • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                        • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                        Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFile
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3188754299-0
                                                                                                                        • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                        • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                        • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                        • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                        Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                                                                                                        • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                        • Opcode Fuzzy Hash: b24af7433d330108988894de74f75be26998b58131ab4cc11d8f9b1f19dcffda
                                                                                                                        • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                        Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004095FC
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                          • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                          • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                          • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3655998216-0
                                                                                                                        • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                        • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                        • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                        • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                        Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00445426
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                          • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                          • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                          • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1828521557-0
                                                                                                                        • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                        • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                        • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                        • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                        Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                          • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                        • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ??2@FilePointermemcpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 609303285-0
                                                                                                                        • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                                        • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                        • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                                                                        • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                        Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcsicmp
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2081463915-0
                                                                                                                        • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                                        • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                        • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                                                                        • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                        Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2136311172-0
                                                                                                                        • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                        • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                        • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                        • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                        Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ??2@??3@
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1936579350-0
                                                                                                                        • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                        • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                        • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                        • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                        Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1294909896-0
                                                                                                                        • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                        • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                        • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                        • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                        Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1294909896-0
                                                                                                                        • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                        • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                                        • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                        • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                                        Non-executed Functions

                                                                                                                        Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                        • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                        • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                        • free.MSVCRT ref: 00418370
                                                                                                                          • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                          • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                        • String ID: OsError 0x%x (%u)
                                                                                                                        • API String ID: 2360000266-2664311388
                                                                                                                        • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                        • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                        • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                        • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                        Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Version
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1889659487-0
                                                                                                                        • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                        • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                        • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                        • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                        Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                        • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                        • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                        • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                          • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                          • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                        • memset.MSVCRT ref: 0040265F
                                                                                                                        • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                          • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                          • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                          • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                        • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                        • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                        • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                        • API String ID: 2929817778-1134094380
                                                                                                                        • Opcode ID: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                                        • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                        • Opcode Fuzzy Hash: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                                        • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                        Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                        • GetDC.USER32 ref: 004140E3
                                                                                                                        • wcslen.MSVCRT ref: 00414123
                                                                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                        • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                        • _snwprintf.MSVCRT ref: 00414244
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                        • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                        • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                        • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                        • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                        • String ID: %s:$EDIT$STATIC
                                                                                                                        • API String ID: 2080319088-3046471546
                                                                                                                        • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                        • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                        • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                        • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                        Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                        • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                        • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                        • memset.MSVCRT ref: 00413292
                                                                                                                        • memset.MSVCRT ref: 004132B4
                                                                                                                        • memset.MSVCRT ref: 004132CD
                                                                                                                        • memset.MSVCRT ref: 004132E1
                                                                                                                        • memset.MSVCRT ref: 004132FB
                                                                                                                        • memset.MSVCRT ref: 00413310
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                        • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                        • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                        • memset.MSVCRT ref: 004133C0
                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                        • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                        • wcscpy.MSVCRT ref: 0041341F
                                                                                                                        • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                        • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                        Strings
                                                                                                                        • {Unknown}, xrefs: 004132A6
                                                                                                                        • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                        • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                        • API String ID: 4111938811-1819279800
                                                                                                                        • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                        • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                        • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                        • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                        Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                        • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                        • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                        • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                        • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                        • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                        • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                        • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                        • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                        • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                        • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 829165378-0
                                                                                                                        • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                        • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                        • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                        • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                        Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00404172
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                          • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                          • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                          • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                          • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                        • wcscpy.MSVCRT ref: 004041D6
                                                                                                                        • wcscpy.MSVCRT ref: 004041E7
                                                                                                                        • memset.MSVCRT ref: 00404200
                                                                                                                        • memset.MSVCRT ref: 00404215
                                                                                                                        • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                        • wcscpy.MSVCRT ref: 00404242
                                                                                                                        • memset.MSVCRT ref: 0040426E
                                                                                                                        • memset.MSVCRT ref: 004042CD
                                                                                                                        • memset.MSVCRT ref: 004042E2
                                                                                                                        • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                        • wcscpy.MSVCRT ref: 00404311
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                        • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                        • API String ID: 2454223109-1580313836
                                                                                                                        • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                        • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                        • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                        • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                        Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                        • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                        • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                        • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                        • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                        • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                        • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                        • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                        • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                        • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                        • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                        • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                          • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                          • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                        • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                        • API String ID: 4054529287-3175352466
                                                                                                                        • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                        • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                        • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                        • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                        Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                        • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                        • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                        • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                        • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                        • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                        • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                        • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                        • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                        • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                        • API String ID: 667068680-2887671607
                                                                                                                        • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                        • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                        • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                        • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                        Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _snwprintf$memset$wcscpy
                                                                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                        • API String ID: 2000436516-3842416460
                                                                                                                        • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                        • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                        • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                        • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                        Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                          • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                          • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                          • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                          • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                          • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                          • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                          • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                        • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                        • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                        • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                        • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                        • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                        • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                        • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                        • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                        • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1043902810-0
                                                                                                                        • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                        • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                        • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                        • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                        Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                        • memset.MSVCRT ref: 004085CF
                                                                                                                        • memset.MSVCRT ref: 004085F1
                                                                                                                        • memset.MSVCRT ref: 00408606
                                                                                                                        • strcmp.MSVCRT ref: 00408645
                                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                        • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                        • memset.MSVCRT ref: 0040870E
                                                                                                                        • strcmp.MSVCRT ref: 0040876B
                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                        • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                        • String ID: ---
                                                                                                                        • API String ID: 3437578500-2854292027
                                                                                                                        • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                        • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                        • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                        • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                        Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                        • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                        • malloc.MSVCRT ref: 004186B7
                                                                                                                        • free.MSVCRT ref: 004186C7
                                                                                                                        • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                        • free.MSVCRT ref: 004186E0
                                                                                                                        • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                        • malloc.MSVCRT ref: 004186FE
                                                                                                                        • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                        • free.MSVCRT ref: 00418716
                                                                                                                        • free.MSVCRT ref: 0041872A
                                                                                                                        • free.MSVCRT ref: 00418749
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: free$FullNamePath$malloc$Version
                                                                                                                        • String ID: |A
                                                                                                                        • API String ID: 3356672799-1717621600
                                                                                                                        • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                        • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                        • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                        • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                        Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _wcsicmp
                                                                                                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                        • API String ID: 2081463915-1959339147
                                                                                                                        • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                        • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                        • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                        • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                        Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                        • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                        • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                        • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                        • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                          • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                          • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                          • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                        • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                        • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                        • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                        • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1700100422-0
                                                                                                                        • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                        • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                        • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                        • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                        Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                        • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                        • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                        • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                        • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                        • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 552707033-0
                                                                                                                        • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                        • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                        • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                        • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                        Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                          • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                          • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                          • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                        • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                        • strchr.MSVCRT ref: 0040C140
                                                                                                                        • strchr.MSVCRT ref: 0040C151
                                                                                                                        • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                        • memset.MSVCRT ref: 0040C17A
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                        • String ID: 4$h
                                                                                                                        • API String ID: 4066021378-1856150674
                                                                                                                        • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                        • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                        • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                        • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                        Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$_snwprintf
                                                                                                                        • String ID: %%0.%df
                                                                                                                        • API String ID: 3473751417-763548558
                                                                                                                        • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                        • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                        • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                        • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                        Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                        • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                        • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                        • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                        • GetParent.USER32(?), ref: 00406136
                                                                                                                        • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                        • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                        • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                        • String ID: A
                                                                                                                        • API String ID: 2892645895-3554254475
                                                                                                                        • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                        • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                        • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                        • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                        Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                        • String ID: 0$6
                                                                                                                        • API String ID: 4066108131-3849865405
                                                                                                                        • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                        • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                        • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                        • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                        Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004082EF
                                                                                                                          • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                        • memset.MSVCRT ref: 00408362
                                                                                                                        • memset.MSVCRT ref: 00408377
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$ByteCharMultiWide
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 290601579-0
                                                                                                                        • Opcode ID: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                                        • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                        • Opcode Fuzzy Hash: aa14e1b9e389497361ed401ed70ebc10d5f62d7ff5e107018b9223dc9ab6e0fb
                                                                                                                        • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                        Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040A47B
                                                                                                                        • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                        • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                        • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                        • String ID: %s (%s)$YV@
                                                                                                                        • API String ID: 3979103747-598926743
                                                                                                                        • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                        • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                        • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                        • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                        Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                        • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                        • API String ID: 2780580303-317687271
                                                                                                                        • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                        • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                        • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                        • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                        Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                                        • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                                        • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                        • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                        • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                                        • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                        • String ID: Unknown Error$netmsg.dll
                                                                                                                        • API String ID: 2767993716-572158859
                                                                                                                        • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                        • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                        • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                        • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                        Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                        • out of memory, xrefs: 0042F865
                                                                                                                        • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                        • unable to open database: %s, xrefs: 0042F84E
                                                                                                                        • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                        • database %s is already in use, xrefs: 0042F6C5
                                                                                                                        • database is already attached, xrefs: 0042F721
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpymemset
                                                                                                                        • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                        • API String ID: 1297977491-2001300268
                                                                                                                        • Opcode ID: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                                        • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                        • Opcode Fuzzy Hash: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                                        • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                        Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                        • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                        • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                        • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                        • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                        • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                        • free.MSVCRT ref: 004185AC
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2802642348-0
                                                                                                                        • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                        • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                        • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                        • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                        Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                        • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                          • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                          • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                        • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                        • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                        • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                          • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                        • String ID: strings
                                                                                                                        • API String ID: 3166385802-3030018805
                                                                                                                        • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                        • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                        • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                        • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                        Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                        • memset.MSVCRT ref: 00405455
                                                                                                                        • memset.MSVCRT ref: 0040546C
                                                                                                                        • memset.MSVCRT ref: 00405483
                                                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                        • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$memcpy$ErrorLast
                                                                                                                        • String ID: 6$\
                                                                                                                        • API String ID: 404372293-1284684873
                                                                                                                        • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                        • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                        • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                        • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                        Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                        • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                        • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                        • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                        • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                        • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                        • wcscpy.MSVCRT ref: 0040A107
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1331804452-0
                                                                                                                        • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                        • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                        • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                        • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                        Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                          • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                          • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                          • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                          • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                          • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                        • String ID: advapi32.dll
                                                                                                                        • API String ID: 2012295524-4050573280
                                                                                                                        • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                        • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                        • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                        • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                        Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • <%s>, xrefs: 004100A6
                                                                                                                        • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$_snwprintf
                                                                                                                        • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                        • API String ID: 3473751417-2880344631
                                                                                                                        • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                        • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                        • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                        • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                        Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: wcscat$_snwprintfmemset
                                                                                                                        • String ID: %2.2X
                                                                                                                        • API String ID: 2521778956-791839006
                                                                                                                        • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                        • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                        • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                        • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                        Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _snwprintfwcscpy
                                                                                                                        • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                        • API String ID: 999028693-502967061
                                                                                                                        • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                        • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                        • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                        • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                        Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                          • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                          • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                          • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                        • memset.MSVCRT ref: 0040C439
                                                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                        • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                          • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                          • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                          • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                        • memset.MSVCRT ref: 0040C4D0
                                                                                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4131475296-0
                                                                                                                        • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                        • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                        • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                        • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                        Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004116FF
                                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                          • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                        • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                        • API String ID: 2618321458-3614832568
                                                                                                                        • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                        • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                        • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                        • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                        Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AttributesFilefreememset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2507021081-0
                                                                                                                        • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                        • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                        • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                        • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                        Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                        • malloc.MSVCRT ref: 00417524
                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                        • free.MSVCRT ref: 00417544
                                                                                                                        • free.MSVCRT ref: 00417562
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4131324427-0
                                                                                                                        • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                        • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                        • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                        • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                        Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                        • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                        • free.MSVCRT ref: 0041822B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PathTemp$free
                                                                                                                        • String ID: %s\etilqs_$etilqs_
                                                                                                                        • API String ID: 924794160-1420421710
                                                                                                                        • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                        • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                        • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                        • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                        Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • wcscpy.MSVCRT ref: 0041477F
                                                                                                                        • wcscpy.MSVCRT ref: 0041479A
                                                                                                                        • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                        • String ID: General
                                                                                                                        • API String ID: 999786162-26480598
                                                                                                                        • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                        • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                        • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                        • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                        Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Strings
                                                                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                        • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpy
                                                                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                        • API String ID: 3510742995-272990098
                                                                                                                        • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                        • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                        • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                        • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                        Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0044A6EB
                                                                                                                        • memset.MSVCRT ref: 0044A6FB
                                                                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpymemset
                                                                                                                        • String ID: gj
                                                                                                                        • API String ID: 1297977491-4203073231
                                                                                                                        • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                        • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                        • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                        • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                        Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                        • malloc.MSVCRT ref: 004174BD
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                        • free.MSVCRT ref: 004174E4
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4053608372-0
                                                                                                                        • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                        • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                        • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                        • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                        Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetParent.USER32(?), ref: 0040D453
                                                                                                                        • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                        • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                        • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                        • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Window$Rect$ClientParentPoints
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4247780290-0
                                                                                                                        • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                        • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                        • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                        • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                        Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                        • memset.MSVCRT ref: 004450CD
                                                                                                                          • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                          • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                          • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1471605966-0
                                                                                                                        • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                        • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                        • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                        • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                        Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • wcscpy.MSVCRT ref: 0044475F
                                                                                                                        • wcscat.MSVCRT ref: 0044476E
                                                                                                                        • wcscat.MSVCRT ref: 0044477F
                                                                                                                        • wcscat.MSVCRT ref: 0044478E
                                                                                                                          • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                          • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                          • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                          • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                        • String ID: \StringFileInfo\
                                                                                                                        • API String ID: 102104167-2245444037
                                                                                                                        • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                        • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                        • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                        • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                        Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004100FB
                                                                                                                        • memset.MSVCRT ref: 00410112
                                                                                                                          • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                          • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                        • _snwprintf.MSVCRT ref: 00410141
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                        • String ID: </%s>
                                                                                                                        • API String ID: 3400436232-259020660
                                                                                                                        • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                        • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                        • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                        • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                        Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040E770
                                                                                                                        • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessageSendmemset
                                                                                                                        • String ID: AE$"
                                                                                                                        • API String ID: 568519121-1989281832
                                                                                                                        • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                        • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                        • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                        • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                        Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040D58D
                                                                                                                        • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                        • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                        • String ID: caption
                                                                                                                        • API String ID: 1523050162-4135340389
                                                                                                                        • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                        • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                        • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                        • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                        Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                          • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                        • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                        • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                        • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                        • String ID: MS Sans Serif
                                                                                                                        • API String ID: 210187428-168460110
                                                                                                                        • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                        • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                        • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                        • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                        Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040560C
                                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                          • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                          • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                          • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                          • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                          • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                          • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                          • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                          • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                          • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                          • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                        • String ID: *.*$dat$wand.dat
                                                                                                                        • API String ID: 2618321458-1828844352
                                                                                                                        • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                        • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                        • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                        • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                        Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 00412057
                                                                                                                          • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                                        • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                        • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                        • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3550944819-0
                                                                                                                        • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                        • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                        • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                        • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                        Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • free.MSVCRT ref: 0040F561
                                                                                                                        • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                        • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpy$free
                                                                                                                        • String ID: g4@
                                                                                                                        • API String ID: 2888793982-2133833424
                                                                                                                        • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                        • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                        • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                        • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                        Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 004144E7
                                                                                                                          • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                          • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                        • memset.MSVCRT ref: 0041451A
                                                                                                                        • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1127616056-0
                                                                                                                        • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                        • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                        • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                        • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                        Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                        • malloc.MSVCRT ref: 00417459
                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                                                        • free.MSVCRT ref: 0041747F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$freemalloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2605342592-0
                                                                                                                        • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                        • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                        • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                        • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                        Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                                        • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                        • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2678498856-0
                                                                                                                        • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                        • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                        • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                        • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                        Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040F673
                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                                        • strlen.MSVCRT ref: 0040F6A2
                                                                                                                        • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2754987064-0
                                                                                                                        • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                        • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                        • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                        • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                        Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memset.MSVCRT ref: 0040F6E2
                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                                        • strlen.MSVCRT ref: 0040F70D
                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2754987064-0
                                                                                                                        • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                        • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                        • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                        • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                        Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                          • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                          • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                          • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                        • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                        • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 764393265-0
                                                                                                                        • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                        • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                        • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                        • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                        Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                        • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Time$System$File$LocalSpecific
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 979780441-0
                                                                                                                        • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                        • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                        • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                        • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                        Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                        • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                        • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: memcpy$DialogHandleModuleParam
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1386444988-0
                                                                                                                        • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                        • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                        • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                        • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                        Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • wcschr.MSVCRT ref: 0040F79E
                                                                                                                        • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                          • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                          • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: wcschr$memcpywcslen
                                                                                                                        • String ID: "
                                                                                                                        • API String ID: 1983396471-123907689
                                                                                                                        • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                        • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                        • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                        • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                        Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                        • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: _snwprintfmemcpy
                                                                                                                        • String ID: %2.2X
                                                                                                                        • API String ID: 2789212964-323797159
                                                                                                                        • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                        • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                        • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                        • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                        Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                                        • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: LongWindow
                                                                                                                        • String ID: MZ@
                                                                                                                        • API String ID: 1378638983-2978689999
                                                                                                                        • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                        • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                                        • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                        • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                                        Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                        • free.MSVCRT ref: 0040B201
                                                                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                        • free.MSVCRT ref: 0040B224
                                                                                                                        • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: free$memcpy$mallocwcslen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 726966127-0
                                                                                                                        • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                        • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                        • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                        • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                        Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • strlen.MSVCRT ref: 0040B0D8
                                                                                                                        • free.MSVCRT ref: 0040B0FB
                                                                                                                          • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                          • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                          • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                        • free.MSVCRT ref: 0040B12C
                                                                                                                        • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: free$memcpy$mallocstrlen
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3669619086-0
                                                                                                                        • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                        • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                        • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                        • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                        Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                        • malloc.MSVCRT ref: 00417407
                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                        • free.MSVCRT ref: 00417425
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000001.00000002.1721211071.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        • Associated: 00000001.00000002.1721211071.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_1_2_400000_1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ByteCharMultiWide$freemalloc
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2605342592-0
                                                                                                                        • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                        • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                        • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                        • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5